The top 5 password security protocols to protect your organisation
Building a culture of security awareness in your organisation is vital. As I wrote about last month, there are numerous different ways in which organisations are vulnerable to hacking and data breaches but one of the most common is through a lack of password security.
How is password security breached?
At the most basic level hackers (or other bad actors such as disgruntled former employees) can access your systems simply by guessing people’s passwords. If hackers are able to gain access to a list of usernames for your organisation, then they can start just guessing passwords and trying them against those usernames.
This is something that could be done manually but, more often, hackers will use databases of commonly used passwords and automatically run those against known usernames until they get a hit. This is why it can be a problem if people use the same password in multiple places. If there’s a data breach in one place and a list of usernames and passwords is exposed, then anywhere else that someone uses that combination of username and password is potentially at risk.
Passwords can also be exposed through social engineering. This is when the target individual is tricked into revealing their password (or other vital security information) to someone else. This could be done ‘in person’ by someone impersonating a member of the IT team or a third-party service vendor. It can also be done through electronic means by sending ‘phishing’ emails that encourage recipients to enter sensitive information directly into a fraudulent web page or that leads to the installation of malware that tracks what people are typing or records their screens and exposes passwords that way.
How can password security best be maintained?
If you consider the different ways in which passwords can be breached, then you can see that there’s no single solution to password security. You can have the tightest, most unguessable password in the world but that won’t provide any protection at all if the user simply tells someone else what the password is. So, your password security policy needs to have several different elements to it.
- Educate your staff – This really is the most important step. You can have all the password policies and procedures that you like in place but they’re no use at all if people don’t follow them. Typically, people don’t follow these protocols because they find them to be over complicated and they don’t understand why they’re important. Make sure your staff understand all the different ways in which their passwords can be exposed and also what the potential implications of a password breach might be to encourage them to take password security seriously. There are tools we can utilise that test how vigilant users are – test phishing campaigns for example that test how many users need additional training on what to look out for.
- Use password managers – Password managers such as Lastpass store all of your usernames and passwords in a secure vault. From that point forward the password manager remembers your passwords for you – when you need to log into a website the password manager will enter the username and password for you. Most password managers will also generate passwords automatically for you. As you no longer have to remember them they can be much more complex and hence more secure. You need to be able to remember the password of your password manager but then that’s it.
- Don’t share login credentials or reuse passwords across multiple sites – It’s really important to make sure that users don’t share their login credentials. If a new person needs access to a system then they should be set up with their own credentials. When someone leaves your organisation, make sure that all their credentials are deactivated and can no longer be used. Encourage users not to use the same password across multiple systems. The easiest way to do this is with a password manager, but people can also have their own personal systems for remembering passwords across multiple systems, as I’ll discuss in the next point.
- Make passwords hard for computers to guess – If you had a super computer that could guess a billion passwords per second, it would take it more than 10 quintillion years to guess a random combination of 20 characters. A more manageable 9 character password would still take it 26 months to guess. A standard password length these days is 12 characters, it sounds unmanageable, but this does not have to be a complex random password with letters and number like f09P$ME5tO83. We are fans of the brilliant Dinopass site which generates passwords that are surprisingly long, but easy to recognise like sm@llSleep79 which is 12 characters but easy to remember. You can then use this as your core password and append it with additional information relating to each individual site, such as the first three letters of the site’s name. Let’s say you’re setting a password for Amazon. You use your core password with Ama appended either to the front or back of the password so it becomes Amasm@llSleep79. This makes it pretty easy for you to remember the password for any site, as long as you can remember your core password.
- Use multifactor authentication – For a truly ‘belt and braces’ approach you should encourage users to turn on multifactor authentication (known as MFA or 2FA – two factor authentication) for every service that offers it. MFA means that the username and password on its own is not enough to be able to log into the service. To log on, users also need to enter a code either sent to their mobile phone or generated by an authenticator app to confirm that they really are trying to log on.
Password security is not the most glamorous and exciting area of IT security, but it really is one of the most important things to get right. All the other effort that you put into making your systems secure is wasted if bad actors can simply get access to the key and walk in through the front door. Talk to us today about how we can help you improve all aspects of your IT security.