Password management best practice
The Facebook and Cambridge Analytica scandal and the 87 million accounts affected by privacy violation have made data privacy and cyber security headline news around the world. For all the users affected, the first step to securing their personal information is to change their passwords immediately.
For a business, secure password management and password best practice is essential. Passwords can protect your website, software programs and business networks. Passwords keep your business safe from unauthorised entry by ex-employees, curious intruders and, of course, hackers.
So how often should you change passwords? Should you always use a different password for every system and site? How complicated do passwords need to be? Should you use a password manager? And how important is multi-factor authentication?
We offer some tips to ensuring password management best practice for your business.
Define A Policy
Defining your password policy is a great place to start. These are a set of rules covering how you design the combinations of words, numbers and/or symbols that grant access to an otherwise restricted online area.
Viruses are still common in 2018. Up-to-date anti-virus software and firewalls to block unwanted access are essential. It may sound simple, but make sure your workplace Wi-Fi network is secure; ensure that your router password is selected by you and does not stay as the default password. Adhering to these key elements of best practice can help secure your business in the long run.
Don’t Make It Personal
When it comes to passwords, the more random the better. Do not use your name or date of birth. Those are the first things a hacker will try.
The 8 + 4 Rule is popular and helps you to build passwords that are extremely strong. This rule states that passwords should be constructed as follows:
- 8 = 8 characters minimum length
- 4 = 1 lower case + 1 upper case + 1 number + 1 special character.
Use Different Passwords for Different Accounts
Using the same easy-to-type password on every website and service you use practically rolls out the red carpet for an attacker into your online life. Make sure every account has a different and unique password.
Use A Password Manager
As we mentioned in a previous blog, it’s a good idea to use a password manager. Although they might find it convenient, you should be discouraging employees from storing passwords online. Remembering lots of unique passwords without storing them online or writing them down is practically impossible.
A password manager is a piece of software that helps you generate long, complex passwords, then securely store all of these passwords in an encrypted virtual container. There are several good cloud based password manager solutions available that provide storage of information encrypted to the level of financial institutions. We suggested several in the last password manager blog.
After decades of conventional wisdom recommending that passwords constantly change, some organisations are abolishing password expirations altogether. This change in policy is often accompanied by the deployment of multi-factor authentication systems which further increase security.
Regardless of other security measures, evidence suggests that security may not be improved much by requiring frequent password changes. Computer scientists at Carleton University in the United States studied password expiration policies and concluded that the security advantage is “relatively minor at best and questionable in light of relative costs.”
Add Other Barriers
Instead of changing your password frequently, add an extra layer of security using Multi Factor Authentication. With multi-factor authentication (MFA) or two-factor authentication, a user is required to not only provide a password to gain access to a system but also another security factor like a unique one-time access code generated from a token device or secure mobile app on their smartphone. Systems protected by MFA are almost impenetrable by an outside attack.