News & Blog

World Password Day: Perfect Time to Review Best Practices

News & Blog

password

Data security breaches are unfortunately a routine occurrence. All good data security starts at the password. Its importance is critical. In honor of World Password day, we are sharing best practices on establishing and managing passwords in your organization.  We strongly recommend that you review these to help you assess and update your data security policies.

As a trusted IT support provider, we help clients to address network security concerns that stem from infrastructure vulnerabilities. We also provide security monitoring & managed services with our FLxSecure SECOPS service. This is to say, we’ve seen a lot of bad situations. Many of them could have been avoided with some basic best practices and education.  In fact, one of the greatest opportunities to improve your security is to educate everyone in your organization and implement security policies and best practices.

Password Policy Best Practices:

  • Establish a Minimum Password Length: This sets the minimum number of characters for a password.  For security reasons you’ll generally want at least 8 characters
  • Require Complexity: Beyond length, you should require complexity.  Examples of complexity requirements are:
    • Passwords cannot contain the user’s name or part of the user’s full name
    • Passwords should use three different character types (capital letter, number & symbols) along with lower case alphabet letters.
  • Enforce Password History: This sets how frequently old passwords can be reused.  A recommended value for this setting is 8.
  • Use a Minimum Password Age: This setting ensures that passcodes cannot be changed until they are more than a certain number of days old. This policy setting works in combination with an “Enforce History”policy setting. If a minimum password age is defined, users cannot repeatedly change them to get around the Enforce  History policy setting. Users must wait the specified number of days to make a change.
  • Set Maximum Password Ages: This parameter sets how frequently a user must change their credentials.  Most organizations find a 90-day timeframe is frequent enough.  We would recommend no more than a maximum of 180 days.
  • Set Account Lockout Thresholds: This parameter defines how many times an incorrect credential can be entered before the account becomes locked. The default in most environments is 3.
  • Set Up & Enforce Usage of Multi-Factor Authentication (MFA): Multi-factor authentication is available on most applications, particularly those accessible via the cloud. MFA requires 2 forms of digital ID to access an account. This makes it much more secure. In fact, 95% of all malware attacks can be mitigated by implementing MFA.

Organizational Best Practices:

In addition to the policies that are set from within your system, it is a best practice to institute a corporate policy document that addresses the organization’s position regarding password security. The corporate policy document should at a minimum address the following areas and be circulated to all employees prior to implementing the new policy:

  • An outline of the new password guidelines that will be implemented and adhered to. This should explain to the company users the reason for the policy being implemented as well as the general parameters of the policies.
  • ALL users must adhere to these policies without exception. Executive management and IT personnel need to comply with the policy as well as the end users.

Guidelines for Building Stronger Passwords:

All users at should be aware of how to select strong passwords, that by definition contain the following characteristics:

  • Lower case characters
  • At least one Upper case character
  • At least one Number
  • At least one “Special” character (e.g. @#$%^&*()_+|~-=\`{}[]:”;'<>/)
  • Contain at least eight alphanumeric characters.

Weak passwords have the following characteristics:

  • Contains less than eight characters
  • Is a word found in a dictionary (English or foreign)
  • Is a common usage word such as: names of family, pets, friends, co-workers, fantasy characters, etc.
  • Birthdays and other personal information such as addresses and phone numbers word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Password Protection Standards

  1. Always use different credentials for every account. For example, select one password for logging into the network and a different one for access to each software application.
  2. Never use an administrator password for normal login and routine daily activity.
  3. Do not share credentials with anyone, including administrative assistants or secretaries. All passwords arebe treated as sensitive, confidential information.
  4. Passwords should never be written down or stored on-line without encryption.
  5. Do not reveal a password in email, chat, or other electronic communication.
  6. Do not speak about a password in front of others.
  7. Do not hint at the format (e.g., “my family name plus 1”).
  8. Do not reveal a password on questionnaires or security forms.

If an account or password compromise is suspected, report the incident to your organization’s IT team immediately.

If you have further questions, please feel free to select a time for  a no-obligation security consultation with us.

Schedule 30 Minute Discussion

See also:

INFOGRAPHIC PDF Download: Guidelines for Strong Passwords

CEO Perspective: IT Priorities for 2021

Keeping Data Secure in the “Work From Home” Environment

Cybersecurity Pressures Taking a Mounting Toll on IT

The Best Defense Against Ransomware

More Resources

Upcoming event details

Register Here

Check out this great download

Download