Best Practices for Company Password Policies

Although multi-factor authentication is now essential when it comes to safeguarding confidential data, passwords remain a central element of any security strategy. Unfortunately, passwords present some inherent limitations. Most can be broken easily using brute-force hacking. Employees also tend to stick to easily memorable passwords, which are a cinch to hack using specialized software. Additionally, some applications even transmit passwords in plaintext, which makes it even less complicated for hackers to get hold of them.

What Are You Doing Wrong with Passwords?

Given the drawbacks of relying on passwords, it’s essential to implement a strong password policy. Many companies fail to do this and instead are guilty of common mistakes such as leaving their default configuration and password settings on for wireless networks, routers and POS systems. Other companies allow employees to share their login credentials, which significantly weakens the overall security of their network and leaves them more exposed to social engineering attacks. Another common mistake is choosing weak passwords or not updating them regularly.

Rules Every Password Policy Should Include

So what can you do to keep your company’s data safe? There are some universal rules that every password policy should incorporate, but before we start going into details on what makes a strong password, there are a few other important factors to consider:

  • All employees should use different passwords and should not be allowed to share them among one another.
  • Your employees should reset their passwords regularly, preferably once every one-to-three months.
  • Always set a limited number of login attempts that an employee can use to access the system. Have the account locked down after this limit is reached.
  • Ensure your employees use different passwords for different systems, unless you have a unified login system with multi-factor authentication.

What Makes a Strong Password?

In theory, every password can be cracked with a brute-force attack. However, the more complex and longer they are, the harder they are to crack, at least in practice. A strong password is one that would be impossible for a brute-force attack to discover within a human lifetime, even using all the world’s supercomputers combined. This is because a brute-force attack goes through all the possible combinations and, the longer the password and the greater the character list used, the more possible combinations there will be.

Many employees choose passwords they can easily remember, but these also tend to be easier for attackers to guess or use brute-force hacking programs to uncover in a matter of minutes. Any password that is a word in the dictionary is extremely easy to hack, and many attackers use dictionary-based attacks to crack these simple passwords in mere seconds. Instead of relying on an easily memorable password, it’s better to try paraphrasing the password you had in mind and combining it with numbers and symbols. Every password policy should incorporate the following basic guidelines at the very least:

  • All passwords should be a minimum of 12 characters long
  • Never include any personal information, such as your name
  • Use misspellings, unique phrases or letter substitutions
  • Always use both letters and numbers and, preferably one or more symbols
  • Don’t use any repeating patterns
  • Include a mixture of lower- and upper-case letters

You really cannot afford to let your employees get lax on security, so setting strict standards for password creation and management is essential. However, you’ll ideally want to have a multi-factor authentication process that incorporates both passwords and a biometric scan or code sent to the employee’s phone or standalone authenticator.

Spectrumwise provides complete, turnkey cybersecurity and business continuity planning solutions for companies. If you’d like to receive a free, confidential cybersecurity audit, call us today to find out more.


Contact Us

"*" indicates required fields

This field is for validation purposes and should be left unchanged.