One2Call Blog

14 Password Policy Best Practices for 2020.

Nov 4, 2019 8:45:00 AM / by Danny Kirkby

Password policies have been around for a long time in business, but when was the last time you reviewed yours? Is it still fit for purpose? The online threat environment is ever-changing and it may well be that your password policy, and overall password vigilence, has never been so important to your business.

So here is our round up the 14 password policy best practices for your business in 2020

Hacker programing in technology environment with cyber icons and symbols

Start With A Strong Password

This might sound pretty obvious, but recent research shows that ludicrously simple passwords are still in common usage.

Put simply, strong passwords make a hackers' job much harder. Often attackers simply set powerful computers to guessing your password, so the simpler the password, the easier this is.

Strong passwords are considered over 8 characters in length and comprise of letters, numbers and symbols. They contain letters in both uppercase and lowercase.

Avoid Bunching Numbers and Symbols Together

One good password practice that often goes overlooked it to spread numbers and symbols throughout the password instead of bunching them together, which makes it easier for the password to be hacked.

Steer Clear from Obvious or Personal Information

Unbelievably, the most widely-used password on hacked accounts last year was 123456.

Even if you think you're just setting something up temporarily, using such super-simple passwords is just playing into the hackers' hands.

Perhaps a bit less obvious is the risk from using personal information, like your date of birth or child’s name,.in your password. This may make it easier to remember, but such data is also vulnerable to being 'scraped' via fake online forms and other ruses, and could give anyone seeking to guess your password a head start..

Use Two-Factor Authentication

Two-factor authentication (2FA) helps keep accounts and data safe from hackers by checking by two different methods that you are who you say you are.

This highly effective safety precaution measure requires you to input a PIN that gets sent to you via an email, SMS or app. Consequently, two-factor authentication protects from stolen passwords and prevents an external person from accessing systems and accounts.

Mainstream providers are increasingly moving to using 2FA by default, and many offer the option. Why not enquire with all your cloud service providers as to the availibiity of two-factor authentication for accessing their platforms?

Business word in dictionary emphazised by a magnifying glass

Refrain from Using Dictionary Words

Sophisticated hackers have programs that search through tens of thousands of dictionary words as part of their password guessing attempts. To help prevent your business from being the victim of a dictionary attack program by avoiding using dictionary words. Instead opt for random passwords.

Don’t Make Passwords Too Long, or...

If you're in the position where you need to commit your passwords to memory, then long passwords can leave you in the frustrating situation of continually forgetting your password and getting locked out of your account.

Passwords that creep up to over ten characters can be painfully difficult to remember, so around 8 – 12 characters are considered optimum for password safety.

Unless, of course, you....

Use a Password Manager

More and more businesses and professionals are using password managers like Lastpass or Zoho Vault as a means of practicing high levels of security and keeping passwords organised.

With password managers, you only need remember one password, as the password manager stores and even create passwords for your different accounts, automatically signing you in when you log on.

If possible use these apps to generate and automatically save passwords. You can even use Lastpass autofill on iOS devices so your saved passwords are available whereever you are and you don’t have to type long complicated passwords on your iOS device.



Use Different Passwords for Different Accounts

It can be tempting to use the same password for every account, so we don’t forget our passwords.

However, this not only makes it easier for hackers to break into your accounts, it also means if they manage to crack one, they have access to all your accounts - bad times!

Diversify your passwords by using a different password for every account. It is especially important that you do not re-use your password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.

Not only this, but as your email address is frequently used to reset your account passwords, if they gain access to your email account they can potentially lock you out of all your other accounts by changing the passwords.

Online banking against tablets and smartphone

Secure Your Mobile Phone

With the growing use of mobile phones to conduct business, shop and more, mobile devices are becoming a major cause of concern in the security community. Help protect your phone and other mobile devices from hackers by securing your phone with a strong password. Or, better still, use fingerprint or facial recognition passwords to help outwit hackers.

For business users Mobile Device Management (MDM) offers a means to centrally control the security of devices by applying password policies, prompting regular password changes, locking devices to a specific location, or even wiping the device if it gets lost or stolen.

Change Passwords Regularly

It can also be tempting to keep the same old passwords for years, so you don’t end up forgetting it. However, changing passwords regularly is a good password practice to instil in your business’s security agenda to help outwit hackers.

In most cases your IT team should be able to apply policies centrally that ensure that passwords are regularly updated.

Change Passwords When an Employer Leaves Your Business

Sadly, it is not uncommon for former, disgruntled employees to become your business’s worse enemy.

Don’t let angry former employees hack into your business accounts and wreak havoc by making it common practice to change passwords when an employee leaves the company.

And that means immediately after they have left the building! People don't have to wait until they get home to start accessing old work account any more.

Ensure your HR and IT teams are empowered to take action quickly once an employee leaves, and to document what action they have taken (as this may also overlap with your GDPR obligations).

Remember to Log Out

Avoid having vital company security information plastered across the internet, making it easy for hackers to steal, by signing out of accounts when you’re not using them.This can be done manually, or it may be possible in the settings to define how long an account will stay logged in for once inactive.

Also, remove any permissions of applications when you have finished with them, such as apps or APIs you have integrated with from that account.

Don't Write Down Passwords

It can be such a temptation to write down passwords, even temporarily, either in an online document or scrap of paper. But as horrible as it is to contemmplate, data breaches don't just come from external hacks, they can come from within as well.

If you're not confident of remembering passwords, or have run out of ideas for generating your own, then using a secure password manager like Lastpass will make your life a whole lot easier, and more secure!

Be Vigilant About Safety

No matter how strong your passwords are and meticulous about safety you are, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make life as difficult as possible for cyber criminals by using an up-to-date virus scanner and making regular updates to your devices.

For businesses ensuring devices are fully patched, up-toi-date and secure should be managed centrally, often through a managed service contract. Here at One2Call we offer a fully managed service called Total Care IT which includes a package of security software and central patch management on a simple and flexible per device, per month basis.




Topics: pass phrase, password, security

Danny Kirkby

Written by Danny Kirkby

Technical Director and IT & Telecoms specialist at One2Call.

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts