Your organization’s security and confidentiality depend heavily on your employees’ password choices. A strong password policy can be the difference between an uneventful day and a data breach that costs you thousands or even millions of dollars.
Many managers and businesses don’t even consider the mental load of juggling multiple passwords at work. A 2020 survey revealed that the average computer user has over 100 password-protected accounts. With so many passwords to keep track of, it’s no wonder that individuals fall into poor password hygiene habits.
And it just takes one bad password to put your company at risk. Studies show that around 80% of known data breaches are caused by cybercriminals guessing, stealing, or cracking user credentials.
While many people are aware of the risks of insecure passwords, they don’t know how to create a solid password policy. By following the best practices below to help you make better decisions about your company’s password policies, you can effectively protect your most valuable asset: your data.
1. Establish a Password Policy
The first step to improving the data security of your organization is to define a robust password policy. Many companies have password policies that are too weak or don’t have one at all, making their data unnecessarily vulnerable.
Choosing a password policy depends on the needs of your company and its employees’ password profiles. For example, if your organization allows remote access to its network, a more secure login procedure may be necessary than if logins are permitted only on the internal network.
Likewise, if your organization deals with sensitive customer data and you have regulatory compliance to meet, it’s important to ensure that your password policy covers all necessary requirements.
The longer or stronger a password is, the harder it will be to crack. However, it’s important to balance length and complexity with password memorability. Longer passwords are harder to remember, which often leads employees to write them down — a practice that can make it easier for cybercriminals to discover them.
Proper password management requires that your password policy have password length, complexity requirements, password history and password expiration policies.
It’s equally important that your employees understand why the policy is in place and what the consequences may be if they don’t follow it.
Here are some password best practices to keep in mind when developing your policy:
- Modern password best practices now favour using long passphrases (four or more randomly chosen words) that don’t require special characters and don’t expire. You can learn more about passphrase security here.
- Don’t let users reuse old passwords. This includes minimally changing an old password by replacing a character or two.
- Prohibit users from using the same password across multiple accounts, especially sharing passwords between work and home accounts.
- Passwords should be sufficient in length — a minimum of 12 characters is a good rule of thumb.
- Avoid using identifiable information in passwords such as dates of birth, names, sports teams, or phone numbers.
- Avoid using sequences in passwords such as 1234 or abcde.
2. Invest in a Password Management Tool
Once you have decided what password policy is best for your organization, it is time to implement it. Password management tools can help you enforce password policies without having to manually review every password change request or impose a password expiration policy that might cause users undue stress.
The password management tool should also be able to provide reports about password use and automatically detect password reuse or password management problems, giving you the ability to take corrective action prior to password exposure.
Password management tools also allow uses to remember one master password instead of multiple passwords for each account they need to log in to.
3. Use Multifactor Authentication
Multifactor authentication adds an extra layer of security to the login process. It requires users to prove their identity by providing multiple pieces of information.
This means that even if an unauthorized person is able to gain access to user credentials, they still won’t be able to log in unless they can also provide the additional information.
A secure method of multifactor authentication is by sending a token to the user’s phone such as a code generated through an app that is protected by biometric data.
4. Use a Password List to Block Weak Passwords
The strength of your password policy will only be as strong as the weakest password. Password lists are a great way to block weak passwords from being created and help users create stronger, more complex passwords.
Password lists are physical or digital documents that contain a list of words, phrases and numbers that are commonly used to create memorable but insecure passwords.
Checking new passwords against the words in these lists reduces the risk of an attacker using a dictionary attack against your password policy because they won’t be able to use pre-determined weak passwords. You can use Azure Directory Password Protection to eliminate bad passwords. You can use a pre-defined global list from Microsoft or a custom list depending on your organization’s needs.
5. Prohibit Login Sharing
Password sharing among co-workers has the potential to expose password credentials, wreak havoc on password policies and compromise password management controls.
To address this issue, it is necessary to prohibit users from sharing their login credentials with anyone else. Disclosing passwords also increases the risk of a data breach because if an unauthorized person gains access to such knowledge, then they can log in as other employees.
6. Educate Employees About Password Safety
It’s important for employees to understand that passwords are powerful, can be easily guessed or compromised by an attacker, and can have significant consequences if leaked.
Employees should also know that sharing their passwords isn’t just a breach of security protocol but is against company policy.
Ensure that all employees at every level are educated on your password policies, understand the risks and consequences of sharing their credentials and have been given training on how to establish strong passwords that are unique for each account.
Password policies aren’t just guidelines; they’re fundamental business controls that need to be enforced by your organization’s password management tool or through an additional layer of security like multifactor authentication.
Follow these best practices to strengthen your organization’s password policies and ensure that your company data is as safe as possible from security threats and data breaches.