Strong passwords are the first line of defense in protecting your business data and customer information. But many companies have weak or non-existent password policies, putting them at a heightened risk for data hacking.
Cyber attacks are becoming more common every day. The number of significant breaches at US businesses, government agencies and other organizations topped 3,813 in 2019, exposing over 4.1 billion records. Reported breaches increased by 54% compared to mid-year 2018.
Every employee has a role to play in protecting their company’s sensitive data – and that means abiding by a stringent password policy. Here are our top password policy best practices and tools you can implement today.
While most business owners would agree that data security is a top priority, many don’t take the time to implement the measures that would have the most significant impact in ensuring security.
Lax password security is a major problem in many businesses. Individuals often use the same password for their personal and business accounts, or choose a password that’s easy to crack Ironically, one of the most effective ways to prevent data theft and cyber attacks is one of the simplest: creating and maintaining strong passwords.
Don’t think you’re in danger of a breach? Even low-risk points of access can have a massive impact on your business if it falls into the wrong hands. For example, your entire customer database could be deleted or shared on the internet. Hackers could place false orders to steal inventory or your customers’ credit card numbers.
An effective password policy is a set of rules that govern password creation and prevent sensitive data from being stolen. Be clear on which systems the policies apply to and document how the plan will be practiced and enforced.
Here are twelve password policy best practices to follow:
Do not use the same password for every site, application and service. If one site is compromised, it could affect the rest of your business. Maintaining a history of at least ten previous passwords discourages users from password repetition.
Users should change passwords periodically to help ensure network security. Require password changes every 30, 60 or 90 days depending upon your security needs.
Setting a minimum password age prevents users from entering a new password and then immediately changing it back to their old one. Consider setting the minimum password age to three to seven days.
Systems should not allow users to remain logged in indefinitely or have “remember me” features. Implement timed logouts and require passwords at the start of each new session.
Sending email notifications before password expiration notifies users when it’s time to change their passwords.
Note to administrators: system defaults on passwords are often set to zero, which means users can bypass passwords altogether. Check to make sure you set minimum password lengths.
A passphrase can contain symbols, numbers, sentences and punctuation to create longer, more complex safeguards. Consider allowing a 64 character length to accommodate passphrases.
Authentication is a process that verifies a user’s identity before granting access. There are several common ways a user can prove their identity:
Two-factor authentication, or 2FA, utilizes two of these factors to verify the user’s identity.
Multi-factor authentication, or MFA, involves two or three of these factors.
Four-factor identification, or 4FA, is a newer form of authentication using all four factors for higher security requirements.
Do your employees or associates share their login credentials? Even in small organizations, logging into another user’s account creates serious security concerns. Requiring that each person use their unique login — and only their unique login — helps track issues and alleviates chaos.
It’s challenging to create very strong passwords containing letters, numbers and characters on the fly. Password generators create unique, randomly generated passwords easily.
Many people use the same passwords for every site and account, which increases your hacking risk. If users log into several systems, require using separate passwords for each one.
Since complex passwords are almost impossible to remember, using a password manager is highly recommended. Make sure your systems allow paste functionality so that users can use password managers successfully.
Your local administrator password should be reset every 180 days for optimal security. Service account passwords should be reset at least once a year during maintenance.
There are three kinds of tools you can use to create, store and test your passwords: password generators, password managers and password strength testers.
The following password generators allow your users to create strong passwords easily. Each will enable you to determine your desired password length and character options and features a convenient copy button.
Password managers can assist you in generating and retrieving complex passwords by storing them in encrypted databases.
Here’s some top password managers currently available:
Do you have a password you want to use but are unsure of its strength? Password strength testers enable you to determine whether your password sufficiently passes the guidelines listed above.
ENFORCE YOUR PASSWORD POLICY WITH HELIXSTORM
Hackers look for any opportunity to steal sensitive information. It’s vital to put password policies in place to protect your business and your employees from cyber attacks.
Your password policy should be a standalone document laying out its purpose, scope, roles and responsibilities. If you need help creating or enforcing an effective password policy, Helixstorm can help. Helixstorm is a managed service provider that can solve your immediate headaches while building your technology future.
Have more questions on password management or security? Contact us today.