Business Password Security Explained
Protecting your business from data theft and malicious attacks doesn’t have to be hard. Simply following the password security checklist (further down in this post) can greatly improve the security of your business at no cost to you.
A recent analysis by the National Cyber Security Center found that ‘123456’ was the most widely-used password in breached accounts, both personal and business.
1. Never Share Your Password With Anyone.
Nobody except you should ever know your password. This includes your current IT team and even fellow executive team members at your organization. Ideally, your password should reside only in your head and a hashed (encrypted) version of it on the system you’re logging into. If anyone else currently knows your password, change it and never share it.
2. Create A Strong Password
You need to create and use a password that’s actually secure. Just any old password won’t do. Short and easy to guess passwords are the reason why password are cracked as often as they are. A computer can guess millions of passwords per minute, so follow these simple steps for an actually strong password:
- Length. Each character increases the complexity exponentially. You should establish a policy in your organization that passwords need to be at least 10 characters long.
- Character Sets. Numbers, Uppercase and Lowercase letters as well as symbols should be utilized in your password. A password like ‘111ORGANIZATION’ cannot be considered a secure password. An example of a good password would be ‘ggUr291K4qR2!&’
- Common words. You should not utilize common words in your passwords, especially if they relate to your company or the individual user in any way. Stay away from utilizing any first or last names or anything to do with the company inside of your passwords. Using a password such as ‘unequivocally2Okk45!$’ is fine however.
3. Regular Password Changes
While some services require regular password changes, most do not. It’s always a good idea to plan password changes regularly. This will ensure that you’re consistently reducing the window of damage to your company. The more often you change your password, the smaller the window such a compromised credential is worthwhile. This is why highly-secure systems use randomly generated numbers that change every few minutes as part of their authentication model.
Users may find changing their passwords on a regular basis to be annoying, however it’s nothing compared to dealing with a fully compromised company. We at AtyxIT, as part of our Managed IT Onboarding process, recommend that companies change their passwords once every 6 months at the bare minimum. We also utilize 3 month password changes for all customers utilizing our Cloud Services.
4. Don’t Reuse Passwords
Alternating between passwords doesn’t have the same effect as changing them to something new and unique each time. Once a password has been compromised, it can be exploited at any point in time, sometimes even years down the later. We recommend that users utilize randomly-generated passwords for all public services with the help of a Password utility, such as the one we include in our standard Cyber-security offering.
5. Secure Your Reset Options
This step helps you stay protected against people, rather than computers themselves, from trying to hack your account. You should think about how your password can be reset, and keep in mind that security questions and answers should not be information that is publicly available, easily searchable or widely known to people who know you. Many people’s accounts and companies are attacked by adversaries that may know them in real life, giving them an edge when it comes to security questions.
6. Enroll and Utilize Two-Factor Authentication
Two-Factor Authentication is probably one of the most important mechanisms available. 2FA prevents the compromise of a single authentication factor (the password itself) from actually compromising your account. 2FA typically works by requesting the traditional login information (username and password) and then sending a prompt for confirmation to a device such as a cellphone. Ideally, only the authorized person would have both the traditional login information as well as access to the second device to confirm the log in action. More advanced mechanisms can usually require bio-authentication such as fingerprint swipes etc. which prevent lost or stolen phones from being used to falsely issue confirmations. Most cloud applications offer two-factor authentication as a standard now, with many other applications following suit. It’s worth taking the few extra seconds every time you log in for the peace of mind you get knowing that even with your password, no malicious actors can log in.
Following this simple business password security checklist will ensure your company stays more secure than before, all for no additional cost to your or your organization. You can’t put a price on security, that’s for sure.
AtyxIT is a Chicagoland based IT company providing small and medium-sized businesses with IT services such as Managed IT Services, Cloud Services, Cyber Security, Data Backup and Recovery, Device Patching & Management and Website Development services.