As more and more businesses rely on cloud-based and software as a service (SaaS) tools, security best practices are becoming even more critical. As passwords are the first line of protection against any unauthorised access to your business accounts and data, it makes sense to invest the time in creating a password policy for your organisation.
A password policy sets rules and guidelines that employees need to follow when creating and using passwords at an organisation. For example, a password policy may stipulate that passwords cannot be written down or sent by email to other employees. A policy may indicate how often employees must change passwords and when an IT department should update passwords following an employee departure from the company. Policies may specify minimum character requirements for passwords and clarify how remote users can safely access corporate networks and resources off-site, such as with a VPN.
Essentially, a password policy clarifies how users must handle passwords and the consequences for improper handling of credentials (intentional or accidental). It is a vital document for businesses, as it educates employees on cybersecurity best practices and strong password practices, strengthening a company’s defences against data breaches.
Why is a password policy needed?
Compromised passwords continue to be a leading cause of data breaches, with a large percentage of hacking-related data breaches tied to passwords. According to the Verizon 2022 Data Breach Investigations Report more than 80% of breaches involve brute force (a hacking method that uses trial and error to crack passwords and login credentials) or the use of lost or stolen credentials. As a result, an organisation’s exposure to attack can be significant given the number of passwords the typical employee uses daily.
Research by password manager NordPass revealed that high-ranking business executives and company owners tend to use weak and easy-to-crack passwords, which significantly increases the chances of a large-scale data breach. NordPass put together a list of passwords used by business executives which showed that “123456” and “password” were the number one and number two most popular passwords, respectively. According to small business website My Business, “12456” is also the most common password in Australia and was used 308,483 times that led to a data breach.
A robust password management policy will help to maximise the strength of the passwords used by employees. When used correctly, an effective password policy prevents unauthorised access into private accounts and keeps your sensitive business data secure.
What should be included in a password policy?
Every organisation is unique and as such you may have password requirements that are specific to your business. As a recommendation, your policy should include:
- Password strength requirements
- Use of unique passwords
- Storing passwords securely
- Multi-factor authentication (MFA)
Password strength requirements
A password’s strength depends on three key characteristics – complexity, length and unpredictability. Therefore, a strong password is complex, long, and hard to guess. Your password policy should include setting a minimum password length and information on complexity requirements.
According to Scientific American, a 12 character password is 62 trillion times more difficult for cybercriminals to crack than a 6 character one. The strongest password is a 16 character one derived from a set of 200 characters.
Having a password like “aC<My!chO,quaj^of)naD}uM}rIew>Ap[Ek}E*quaC.eib(Tyb” may be very secure, however employees will struggle to remember it. When someone sets a difficult-to-remember password, they tend to write it down on paper or store it in a document on their computer, therefore making that password less secure. Another option is to use a passphrase – a memorable string of words, including different characters and special characters – to increase the security of your complex passwords. Users can relate their passwords to things they can easily remember, like a favourite sport or hobby. For instance, “I enjoy playing basketball” can be “IEnjoiPlay!ngB@$k3tb@ll11.”
In summary, following are the main characteristics of a good, secure password:
- Length of at least 12 characters long (the longer, the better)
- Uses uppercase and lowercase letters, numbers and special symbols
- Doesn’t contain memorable keyboard paths
- Is not based on personal or identifying information
Use of unique passwords
Employees should ideally use unique passwords for every account that they create. Unfortunately, this isn’t particularly common practice. An Online Security Survey by Google of 3000 people found that 52% reuse passwords across multiple accounts.
If a password is breached on one platform, that puts the user at risk of being breached everywhere. A recent Digital Shadows study showed that there are more than 24 billion username and password combinations in cybercriminal marketplaces. That’s 65% more passwords that are circulating on the dark web since 2020.
You can set out in your password policy a strategy to:
- Enforce password history so that the repeated use of a password can be detected
- Prohibit the use of at least five previous passwords
3. Storing passwords securely
Ensuring secure storage of all passwords in your network is a necessity. Consider adding the following two rules to your password policy:
- a) Use password managers. Password management software such as Password1, LastPass and Apple Keychain make it easier to manage strong passwords. By remembering one main strong password, the password manager takes care of the rest. It’s able to:
- Generate random passwords of the desired strength and complexity
- Provide warnings if you’re using a password that’s being used elsewhere or if the one you’ve chosen is weak
- Allow you to share passwords securely with other users so they can log in (without revealing the password itself)
Passwords managers undergo third-party audits, penetration tests, and code reviews to keep encrypted password “vaults” safe. Both 1Password and Lastpass use a “zero-knowledge” protocol that ensures your master password never leaves your device and only you can access your passwords.
- b) Encrypt passwords. Using encryption for passwords makes it harder for hackers to compromise your passwords. Encryption scrambles your password so it’s unreadable and unusable by hackers. That simple step protects your password while it’s sitting in a server.
4. Multi-factor authentication (MFA)
Additional layers of protection are necessary for securing privileged accounts with elevated access permissions. You should consider adding multi-factor authentication (MFA) to your password policy as an additional security measure.
MFA is a security measure that requires two or more proofs of identity to grant you access to an account. MFA can confirm identity and replace passwords using PINs, facial recognition, fingerprints or inserting a USB key. The multiple layers make it harder for criminals to attack your organisation. Hackers might manage to steal one proof of identity (e.g. PIN), but they still need to obtain and use the other proofs of identity. Two-factor authentication (2FA) is the most common type of MFA.
Best practices for an effective password policy
Although a company may develop a well-written password policy, the bigger challenge is putting its requirements into action. Without appropriate technology to enforce and monitor password policy requirements, companies will continue to experience gaps in their password security.
An effective password policy:
- Uses clear language and avoids tech and legal jargon so it is accessible to all employees
- Is easily obtainable for reference, such as in an employee handbook or company intranet
- Is built on best practices such as using a password manager and two-factor authentication
- Uses technology and effective IT management to build good password habits
- Offers a centralised way for IT to manage and oversee password security
- Evolves over time, with IT actively monitoring for potential issues and updating requirements
Boosting your cybersecurity
Whilst password security is vitally important, it’s just one aspect of cybersecurity. In order to comprehensively protect your valuable business data you need to consider other security measures such as managed firewalls, intrusion detection services, data backup and recovery services, and secure storage solutions.
Partnering with an external IT management company such as Neo Technologies can help you meet the standards for data privacy and security that apply to your industry. With over 25 years of industry experience, Neo Technologies will keep your company secure, connected and compliant, so you can focus on achieving your current and future business goals.
We offer end to end IT services, solutions, support and advisory with a depth and breadth of specialised knowledge that sets us apart from our competitors. Contact us on 1300 661 832 to learn more about ways we can help protect your business from cybersecurity attacks.
