14 Password Policy Best Practices

Password policies have been around for a long time in business, but when was the last time you reviewed yours? Is it still fit for purpose? The online threat environment is ever-changing and it may well be that your password policy, and overall password vigilence, has never been so important to your business.

So here is our round up the 14 password policy best practices for your business.

Click on the link below for information for how you can protect yourself and your Business from Phishing and Ransomware Attacks with Ative Email Threat Protection. Or alternativly ask us for more information.

Use Two-Factor Authentication

Two-factor authentication (2FA) helps keep accounts and data safe from hackers by checking by two different methods that you are who you say you are.

This highly effective safety precaution measure requires you to input a PIN that gets sent to you via an email, SMS or app. Consequently, two-factor authentication protects from stolen passwords and prevents an external person from accessing systems and accounts.

Mainstream providers are increasingly moving to using 2FA by default, and many offer the option. Why not enquire with all your cloud service providers as to the availibiity of two-factor authentication for accessing their platforms?

Refrain from Using Dictionary Words

Sophisticated hackers have programs that search through tens of thousands of dictionary words as part of their password guessing attempts. To help prevent your business from being the victim of a dictionary attack program by avoiding using dictionary words. Instead opt for random passwords.

Don’t Make Passwords Too Long, or…

If you’re in the position where you need to commit your passwords to memory, then long passwords can leave you in the frustrating situation of continually forgetting your password and getting locked out of your account.

Passwords that creep up to over ten characters can be painfully difficult to remember, so around 8 – 12 characters are considered optimum for password safety.

Unless, of course, you….

Use a Password Manager

More and more businesses and professionals are using password managers like Lastpass or Zoho Vault as a means of practicing high levels of security and keeping passwords organised.

With password managers, you only need remember one password, as the password manager stores and even create passwords for your different accounts, automatically signing you in when you log on.

If possible use these apps to generate and automatically save passwords. You can even use Lastpass autofill on iOS devices so your saved passwords are available whereever you are and you don’t have to type long complicated passwords on your iOS device.

Use Different Passwords for Different Accounts

It can be tempting to use the same password for every account, so we don’t forget our passwords.

However, this not only makes it easier for hackers to break into your accounts, it also means if they manage to crack one, they have access to all your accounts – bad times!

Diversify your passwords by using a different password for every account. It is especially important that you do not re-use your password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.

Not only this, but as your email address is frequently used to reset your account passwords, if they gain access to your email account they can potentially lock you out of all your other accounts by changing the passwords.

Secure Your Mobile Phone

With the growing use of mobile phones to conduct business, shop and more, mobile devices are becoming a major cause of concern in the security community. Help protect your phone and other mobile devices from hackers by securing your phone with a strong password. Or, better still, use fingerprint or facial recognition passwords to help outwit hackers.

For business users Mobile Device Management (MDM) offers a means to centrally control the security of devices by applying password policies, prompting regular password changes, locking devices to a specific location, or even wiping the device if it gets lost or stolen.

Change Passwords Regularly

It can also be tempting to keep the same old passwords for years, so you don’t end up forgetting it. However, changing passwords regularly is a good password practice to instil in your business’s security agenda to help outwit hackers.

In most cases your IT team should be able to apply policies centrally that ensure that passwords are regularly updated.

Change Passwords When an Employer Leaves Your Business

Sadly, it is not uncommon for former, disgruntled employees to become your business’s worse enemy.

Don’t let angry former employees hack into your business accounts and wreak havoc by making it common practice to change passwords when an employee leaves the company.

And that means immediately after they have left the building! People don’t have to wait until they get home to start accessing old work account any more.

Ensure your HR and IT teams are empowered to take action quickly once an employee leaves, and to document what action they have taken (as this may also overlap with your GDPR obligations).

Remember to Log Out

Avoid having vital company security information plastered across the internet, making it easy for hackers to steal, by signing out of accounts when you’re not using them.This can be done manually, or it may be possible in the settings to define how long an account will stay logged in for once inactive.

Also, remove any permissions of applications when you have finished with them, such as apps or APIs you have integrated with from that account.

Don’t Write Down Passwords

It can be such a temptation to write down passwords, even temporarily, either in an online document or scrap of paper. But as horrible as it is to contemmplate, data breaches don’t just come from external hacks, they can come from within as well.

If you’re not confident of remembering passwords, or have run out of ideas for generating your own, then using a secure password manager like Lastpass will make your life a whole lot easier, and more secure!

Be Vigilant About Safety

No matter how strong your passwords are and meticulous about safety you are, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make life as difficult as possible for cyber criminals by using an up-to-date virus scanner and making regular updates to your devices.

For businesses ensuring devices are fully patched, up-toi-date and secure should be managed centrally, often through a managed service contract. Here at One2Call we offer a fully managed service called Total Care IT which includes a package of security software and central patch management on a simple and flexible per device, per month basis.