Password Best Practices
Every day in our role of managing IT systems we come across passwords that make us cringe. They may be easy for users to remember, but that also makes them easy to guess. A user may think that the name of their eldest child is a good choice, but an investigation as simple as looking at the user’s social media will provide that password. Replacing letters with numbers or symbols, such as replacing an “e” with a “3”? That doesn’t cut it any more. Neither does adding an exclamation mark at the end. Hackers and their tools are wise to all that. We need to get serious about passwords.
Improving your business’s password best practices is a good place to start when you are looking at beefing up your cybersecurity. Because passwords are such a common everyday part of business, people become careless in their creation and use. We need to bear in mind that a weak password may just be the undoing of the whole business – and that’s not being overdramatic.
Password best practices must be instilled in the minds of all employees. It is a job of management to educate and enforce them. But don’t worry – we can help.
Here’s our list of password best practices:
1. Don’t write passwords on sticky notes.
Just like leaving things on view in your car, the adage “If it can be seen it can be stolen” works for passwords written down as well.
2. Don’t save passwords to your browser.
Web browsers are not designed to be a secure place to store passwords and other sensitive information like credit card numbers. They are easily compromised by malware, browser extensions and other software.
3. Make your passwords at least eight characters long.
Include numbers, symbols and upper-case and lower-case letters. Make them complicated!
4. Don’t replace letters with numbers or symbols.
People replace an “e” with a “3”, a letter “l” with a number “1”, an “o” with a zero, an “a” with an “@” symbol or an “s” with a “$”. See? It’s not secure. Everybody knows about it, especially hackers and their tools.
5. Don’t iterate your password (like Password1, Password2).
This may have been OK last century, but everyone is wise to this one now.
6. Use a different password for every login.
If you use a single password, once it is compromised so too are all the accounts to which that password gives access.
7. Don’t capitalise the first character.
There may be a requirement to use at least one capital letter in a password. People tend to capitalise the first one. Don’t. Again, it makes a password easier to guess.
8. Don’t use “!”.
There may be a requirement to use at least one symbol in a password. People tend to use a “!”. Once again, it makes a password easier to guess. If you do use one, Don’t put it at the end.
9. Don’t use long phrases.
Using long phrases was once a recommendation. It is no longer part of password best practices. “tillthecowscomehome” is more easily guessed than you would think. If you feel like changing that to t111th3c0w$c0m3h0m3″, see point 4 above.
10. Use a password manager.
A password manager makes it a lot easier to comply with the demands of modern password best practices. It remembers all your passwords. It can generate and save new passwords for you. It can sync over all your devices, and it means that you only have to remember one password. But please, make that password very complicated.
11. Test your passwords.
There are different websites such as passwordmonster.com where you can test a password to see how strong it is. They will give you a green light for a good one and will tell you how long it would take for a password cracker to guess the password.
12. Use multifactor authentication.
As much as it is a pain, it is another layer in the security arsenal that you can use to beef up your protection. Modern password managers can perform the task of generating the verification, so you don’t need to access your mobile phone every time you have to get a code.
See the graphic accompanying this article for a few more tips. If you follow these password best practices, you will greatly reduce the chances of your business being compromised and you will be a step ahead in the war on cybercrime.
Need help with setting up a secure password regime? Talk to us.