Passwords are your first line of defense against a world of painful experiences ranging from data theft to ransomware. Unfortunately, most individuals and even IT professionals are guilty of committing several common “password sins” that can actually compromise the security of their and even their company’s information.
Consider the following statistics from the 2019 State of Password and Authentication Security Behaviors Report:
- 81% of all hacking-related data breaches involved stolen or weak passwords.
- 69% of IT professionals share their passwords with colleagues to access accounts.
- 51% of IT professionals reuse passwords across businesses and personal accounts.
- 57% of IT professionals who have experienced phishing attacks have not changed their password management behavior.
- 67% of IT professionals do not use any form of two-factor authentication in their personal use, and 55% do not use it at work.
- 57% of IT professionals expressed a preference for a login method that does not involve passwords.
What are password policies?
A password policy is an established set of rules that have been created to increase password security by encouraging strong, secure passwords that are properly stored and utilized. Password policies help protect your IT infrastructure from intrusion and your data from those who would like to steal it.
Seven Principles of Effective and Secure Password Management
- Create a long and strong passphrase.
To make it more difficult for hackers to crack into your system, consider generating strong passwords. A strong password is considered to be a password over eight characters in length and consisting of a mixture of uppercase and lowercase letters, numbers, and symbols.
- Apply password encryption.
Encryption enables your passwords with additional protection that is uncrackable, even if your passwords are stolen by cybercriminals. The most recommended practice is to utilize non-reversible end-to-end encryption. This allows you to protect your passwords even while they are in transit over the network.
- Implement two-factor authentication.
Two-factor authentication, also known as 2FA, has quickly become the standard in managing organizational resources for both business and personal use. Not only do users input traditional credentials such as their username and password to access their applications, but they also confirm their identity with a one-time code that is sent to their mobile device – usually via email or text message. A personalized USB token can also be used in two-factor authentication. This allows an extra step for hackers to gain access and is usually information inaccessible to them.
- Add advanced authentication methods.
Apply non-password-based methods such as voice, facial recognition or thumbprint recognition. These methods add increasing difficulty for hackers to gain access into your system.
- Use different passwords for every account.
Using the same password across the board sets both you and your business up for multiple security breaches. How does it work to the bad guys’ advantage? If one account is breached, other accounts with the same credentials are also highly susceptible to being compromised.
- Avoid the recycling of passwords
Periodically changing passwords, such as every ninety or one-hundred eighty days, has been a widely enforced practice in password security. More recent advice from the US National Institute of Standards and Technology (NIST), however, strongly suggests not to use a mandatory policy of password changes for personal use. (Keep in mind that this advice does not apply to privileged credentials, however.) A primary reason for this suggestion is because most users tend to simply recycle previously used passwords. While strategies can be implemented to avoid password reuse, creative users will find ways around those strategies. Frequent password changes also cause users to write down their passwords in order to remember them, which is NOT a recommended practice. For these reasons, NIST recommends only changing passwords in the event of potential threat or compromise.
- Use password managers.
Password managers store and even create passwords for your various accounts and automatically sign you in as you log on, freeing you to only need to remember one password. As long as you choose a strong and unique but easy-to-remember master password, you have achieved a near-perfect way of protecting your access credentials from unauthorized users.
Organizations should carefully and thoroughly examine their password security policies and password management as both stolen and weak passwords continue to be the most common reasons for breaches in data. With these best practices, you can create an efficient password security policy and provide your business with stronger protection against unauthorized users.
Want some help setting up your password policies or implementing an enterprise-level password management solution? The team is here to help. Give us a call or send an email to begin a no-obligation conversation.