Password management bad habits often form the weakest link in a company’s cyber security strategy. More specifically, password re-use by employees is a significant challenge and can lead to a serious breach of corporate systems. According to a recent survey by Google, 65% of people admit to re-using passwords at work and in their personal life. All it takes is for one website or service provider to suffer a breach of their customer database and your employee’s re-used password can end up in the wild.
Businesses of all sizes should address the password re-use problem by effectively educating employees on the right password management best practices, while implementing technologies to take your use of identity and access management (IAM) to another level.
In this blog, we explore the five most important password policy best practices for organizations.
1. Password Length and Complexity
Businesses should take a proactive stance on educating employees on the best practices around password management. Let’s start with the basics.
Passwords should be a very minimum of eight characters in length. The password should use a combination of ASCII characters – uppercase, lowercase, numbers, and symbols. Ideally, employees should get in the habit of using a random password generator, which is often a handy feature of a password manager tool. More on that in a moment.
Employees should avoid using common words and combinations found in “password dictionaries,” such as 123456, password, qwerty, passw0rd and so on. Adjacent keyboard strings should also be avoided, such as qwerty7894.
2. Don’t Re-use Passwords
Perhaps the largest challenge in password management is the re-use of passwords. A typical employee today may have dozens or even hundreds of websites, accounts, and software tools that they need to manage across their personal and business life. Therefore, it is understandable how people fall into the bad habit of re-using passwords. But it really should be avoided at all costs.
Organizations that take cyber security seriously should invest in software tools and training to help employees understand the dangers of bad password habits and what to do about it. At NENS, we deliver clients and their staff cyber security awareness programming to help these organizations develop a culture of security.
3. Use a Password Manager
The best way to break the habit of password re-use is to use a password manager. A password manager is a software tool that allows your employee to store an unlimited number of strong passwords in a highly encrypted password vault, which is accessible with a single master password. LastPass and Dashlane are two popular and highly regarded password managers. These tools come standard with a host of different features which make proper password management habits a snap.
As a feature, all major password managers have a handy feature to allow for the creation of a randomly generated strong passwords for each unique website, service, or software tool. This feature allows an employee to begin the process of changing the passwords to all of their existing sites to a randomly generated strong password. With a bit of discipline, an employee can update their passwords across hundreds of sites and services in no time. Once the password re-use problem has been tackled, all the employee now needs to remember is their one master password which secures and governs their password vault.
Password managers also feature a browser extension which auto-fills passwords into websites and SaaS applications as the employees does their work throughout the day. All the user needs to do is to login once at the beginning of their browsing session and then all of the needed passwords get auto-filled from the password vault. Password managers help with both halves of an employee’s life, whether work or personal. Once an employee gets the hang of using a password manager, there is usually no going back.
4. Leverage Multi-Factor Authentication (MFA)
Whether employees adopt a password manager or not, another important step for companies is to implement multi-factor authentication across all corporate systems and software tools. An MFA solution leverages something the user knows, such as their password, with something they have, such as a smartphone with an authenticator application that generates a randomly generated one-time password.
Implementing MFA can pay huge dividends for organizations. According to Microsoft, over 99.9% of account compromise attacks are stopped by the use of MFA.
With MFA, even if a cyber criminal compromises a user’s password, their attempt to authenticate and breach the user’s account will fail because they don’t have user’s smart phone handy. At NENS, we standardize on MFA powered by Cisco Duo, an industry-leading and easy to use MFA solution.
MFA can be used in concert with password managers, as well. First, password managers themselves can leverage a second factor of authentication just to unlock the user’s password vault. And secondly, if your organization implements MFA for all corporate systems, the main passwords for work systems can be randomly generated and stored in the password manager.
5. Implement Single Sign-on (SSO)
Single sign-on solutions are another way for organizations to tame the password beast. An enterprise SSO solution delivers many of the same benefits to users as a password manager, but it is organized and managed at the corporate level. An enterprise SSO solution allows the user to login once with their main corporate credentials and then be dynamically logged into all other corporate applications throughout the workday. The solution will often present all of the users corporate apps on a single, web-based dashboard. Like with a password manager, security is improved because each discrete app or tool has its own unique password, while the life of the employee is simplified since they only need to login once to get access to all of their applications.
At NENS, we welcome inquiries from new and existing clients regarding how to best evolve and improve your organization’s implementation of password best practices.