EXECUTIVE SUMMARY:

In honor of Cyber Security Awareness Month, CyberTalk.org is publishing a dedicated blog series throughout October. Each week, we will be sharing blogs that correspond to four key cyber security behaviors, as identified by The National Cyber Security Alliance. Today’s blog highlights how employees and IT teams can implement stronger password management practices.

Hackers harvest, weaponize and sell both corporate and personal passwords in order to obtain financial reward, damage a reputation, steal intellectual property, or for other illegal undertakings. According to cyber security researchers, 80% of hacks involve the theft or reuse of employee passwords.

This is in no small part due to lack of employee education and corporate negligence. Within your organization, advocate for a concerted, company-wide effort around password security and password protection. Here’s how. Share the following password best practices with your colleagues.

Password security best practices for every employee

This list starts with password fundamentals that most people are acquainted with and gradually transitions into more sophisticated password security best practices.

  1. Passwords should be 8-12 characters long. Use a mix of letters, numbers, and symbols. Vary with upper case and lower case letters (in applicable languages).
  2. Avoid recycling the same password across multiple accounts.
  3. After 90 days, rotate passwords.
  4. Test the strength of your password with an online strength-testing tool.
  5. Consider a password manager. Password managers function as digital books of passwords, locked by a master key.If a cloud-based password manager sounds eerie, consider using a local password storage program on your computer (Roboform or PasswordSafe)
  6. Prioritize longer passwords. The longer the password, the stronger the password. Which is stronger? A) L0g……………………… or B) LyXcn.F([email protected]

It’s a trick question. The first password is stronger, despite the use of a common word and a predictable substitution. This has to do with the fact that it employs “padding” within the password (all of the periods at the end) and it’s several characters longer than the second password.

  1. Avoid using real words within passwords, as hackers can deploy dictionary attacks, which systematically throw every word in the dictionary against an account’s login portal.
  2. Complicate your answers to password security questions; avoid using the name of your spouse, children, relatives or pets, as these answers can often be found on your social media profile or elsewhere online.
  3. Check to see whether or not your passwords have previously been stolen. You can use Mozilla’s Firefox Monitor and Google’s Password Checkup tool to determine which of your email addresses and passwords have been compromised in a data breach. Have I Been Pwned is another good password checker option.
  4. Secure your phone with a strong password, fingerprint or facial recognition software.

Password security best practices for IT teams

  1. Limit incorrect login attempts to 5 or fewer.
  2. Allow passwords to be 64 characters long or longer, rather than limiting the length to 10 characters.
  3. Apply password encryption. Password encryption offers additional protection.
  4. Implement multi-factor authentication. Multi-factor or two-factor authentication prevents hackers from accessing your portals or network after cracking simple passwords.
  5. Deploy privileged access management software for employees with access to sensitive data.
  6. Ensure that your organization uses up-to-date anti-malware and vulnerability management solutions.
  7. Adopt the practice of changing corporate account passwords after an employee leaves the enterprise.
  8. Avoid accessing accounts as ‘root’ or ‘administrator.’ Use your own login and switch user (SUDO) or “run as” in order to execute administration commands. Consider disabling root login.
  9. Establish password audits. Track your employees’ compliance with the organization’s password security policy. An audit will monitor password modifications in order to ensure compliance. It will also highlight and correct weak access points.
  10. Send employees password best practices reminders. Employees usually have good intentions, but may forget to update passwords, or to otherwise comply with an organization’s password policy. Send employees email notifications reminding them of policies, best practices and the need to rotate passwords ahead of their expiration.

In summary

The stakes are high and the security risks are genuine. With a compromised password, a hacker could instantly halt your business’s productivity, sink profits, crash your stock price, and engender real-world harm.

Applying password security best practices is as much a choice as locking the doors at night. Keep your people, processes, technologies, partners, clients and IP secure by ensuring that everyone puts password security best practices into action.

Operationalizing behavioral changes can be tough for employees and IT teams alike. But the rewards are worth it and portend to a bright future.

On the first Thursday in May, honor World Password Day. For more insights into password security, please see CyberTalk.org’s past coverage. Lastly, get engaging stories, expert analysis and real-world reports delivered to your inbox each week – subscribe to the CyberTalk.org newsletter.