14 Password Policy Best Practices

Password policies have been around for a long time in business, but when was the last time you reviewed yours? Is it still fit for purpose? The online threat environment is ever-changing and it may well be that your password policy, and overall password vigilence, has never been so important to your business.

So here is our round up the 14 password policy best practices for your business.

Click on the link below for information for how you can protect yourself and your Business from Phishing and Ransomware Attacks with Ative Email Threat Protection. Or alternativly ask us for more information.

Best Practice #4: Use Two-Factor Authentication

Two-factor authentication (2FA) helps keep accounts and data safe from hackers by using two different methods to verify that you are who you say you are.

One of the most highly effective password policy best practices, 2FA, requires you to input a PIN that gets sent to you via an email, SMS or app. Consequently, two-factor authentication protects from stolen passwords and prevents an external person from accessing systems and accounts.

Mainstream providers are increasingly moving to using 2FA by default, and many offer the option. Why not enquire with all your cloud service providers as to the availability of two-factor authentication for accessing their platforms?

Best Practice #5: Refrain from Using Dictionary Words

Sophisticated hackers have programs that search through tens of thousands of dictionary words as part of their password-guessing attempts. Help prevent your business from being the victim of a dictionary attack program by avoiding using dictionary words. Instead opt for random passwords.

Best Practice #6: Don’t Make Passwords Too Long, or…

If you’re in the position where you need to commit your passwords to memory, then long passwords can leave you in the frustrating situation of continually forgetting your password and getting locked out of your account.

Passwords that creep up to over ten characters can be painfully difficult to remember, so around 8 – 12 characters are considered optimum for password safety.

Unless, of course, you….

Best Practice #7: Use a Password Manager

More and more businesses and professionals are using password managers like LastPass or Zoho Vault as a means of practicing high levels of security and keeping passwords organised.

With password managers, you only need remember one password, as the password manager stores and even create passwords for your different accounts, automatically signing you in when you log on.

If possible use these apps to generate and automatically save passwords. You can even use LastPass autofill on iOS devices so your saved passwords are available wherever you are and you don’t have to type long complicated passwords on your iOS device.

For more detailed information about password managers, read this article from the National Cyber Security Centre.

Best Practice #8: Use Different Passwords for Different Accounts

It can be tempting to use the same password for every account, so we don’t forget our passwords.

However, this not only makes it easier for hackers to break into your accounts, but it also it also means if they manage to crack one, they have access to all your accounts – bad times!

Diversify your passwords by using a different password for every account. It is especially important that you do not re-use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your email soon.

Not only this, but as your email address is frequently used to reset your account passwords, if they gain access to your email account they can potentially lock you out of all your other accounts by changing the passwords.

Best Practice #9: Secure Your Mobile Phone

With the growing use of mobile phones to conduct business, shop and more, mobile devices are becoming a major cause of concern in the security community. Help protect your phone and other mobile devices from hackers by following password policy best practices. Or, better still, use fingerprint or facial recognition passwords to help outwit hackers.

For business users Mobile Device Management (MDM) offers a means to centrally control the security of devices by applying password policy best practices such as prompting regular password changes, locking devices to a specific location, or even wiping the device if it gets lost or stolen.

Best Practice #10: Change Passwords Regularly

It can also be tempting to keep the same old passwords for years, so you don’t end up forgetting them. However, changing passwords regularly is one of the best password policy best practices to instill in your business’s security agenda to help outwit hackers.

In most cases, your IT team should be able to apply password policy best practices centrally that ensure that passwords are regularly updated.

Best Practice #11: Change Passwords When an Employer Leaves Your Business

Sadly, it is not uncommon for former, disgruntled employees to become your business’s worse enemy.

Don’t let angry former employees hack into your business accounts and wreak havoc by making it common practice to change passwords when an employee leaves the company.

And that means immediately after they have left the building! People don’t have to wait until they get home to start accessing old work accounts anymore.

Ensure your HR and IT teams are empowered to take action quickly once an employee leaves, and document what action they have taken (as this may also overlap with your GDPR obligations).

Learn more about helpful rules, guidelines and procedures for keeping your business cyber safe with Get Safe Online.

Best Practice #12: Remember to Log Out

Avoid having vital company security information plastered across the internet, making it easy for hackers to steal, by signing out of accounts when you’re not using them. This can be done manually, or it may be possible in the settings to define how long an account will stay logged in for once inactive.

Also, remove any permissions of applications when you have finished with them, such as apps or APIs you have integrated with from that account.

Best Practice #13: Don’t Write Down Passwords

It can be such a temptation to write down passwords, even temporarily, either in an online document or scrap of paper. But as horrible as it is to contemplate, data breaches don’t just come from external hacks, they can come from within as well.

If you’re not confident of remembering passwords, or have run out of ideas for generating your own, then using a secure password manager like LastPass will make your life a whole lot easier and more secure!

Best Practice #14: Be Vigilant About Safety

No matter how strong your passwords are and how meticulous about password policy best practices you are, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make life as difficult as possible for cyber criminals by using an up-to-date virus scanner and making regular updates to your devices.

In conclusion, implementing and following password policy best practices can help protect your business from data breaches and unauthorised access to company systems. Partner with an IT expert like One2Call with the knowledge and experience to keep your business safe. We offer a fully managed service called Total Care IT which includes a package of security software and central patch management on a simple and flexible per-device, per-month basis.

Get started today with One2Call’s Cyber Essentials Self-Assessment.

This post was updated in 2023 from a blog written in 2019. You can access the original blog here.