Password Security Best Practices for Keeping Your Data Safe

Published January 17, 2017

Password Security Best Practices for Keeping Your Data Safe

Password Security Best Practices for Keeping Your Data Safe

Strong Passwords are Your First Line of Defense Against Business Cyber Attacks

Good password security can help prevent attacks before they can start. While actively following password best practices can be a little more time consuming and difficult, it is essential. 

A single data breach can cost an SMB thousands of dollars. Costs only rise as the magnitude grows and you learn the exponential ways in which your data might have been affected. 

Creating strong passwords are your first line of defense. Basic best practices include:

  • Create secure passwords using industry best practices for data authentication;
  • Know when to change passwords and how to maintain a good change schedule;
  • Never re-use passwords across different websites or other network services;
  • Never share your password or compromising it by, for example, writing it.

How to Create a Secure Password

Many software programs come with some built-in fail-safes to prevent poor passwords and encourage stronger ones. In many cases, applications can be configured by the administrator to adhere to specific rules, such as those outlined in the enterprise’s password policy.

Criteria for an acceptable password can include all of the following:

  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Special characters, such as punctuation marks
  • A specific length, typically eight characters or more

Using each of these criteria, it is possible to create a complex password. The more complex a password is, the more secure it will tend to be. That said, no collection of rules can solve security issues alone: Those rules must be implemented correctly to be effective.

Consider this potential password: Welcome123!

Although this password may seem to meet all the criteria above, it is an extremely weak example. It uses a common dictionary word (Welcome) and several numbers in sequence (123). The capital letter is used where it would “normally” appear, as is the exclamation point.

All of these factors make this password common and obvious – and easy to crack. It’s important to realize that the majority of simple hacking attacks are automated. A “bot” attempts to guess common passwords using an internal dictionary before its activities are noticed and prevented. The more common and superficial a password, the easier it will be for the bot to guess.

In many cases, bots can guess tens of millions of potential passwords per second.

When creating a password, also remember:

  • Avoid using common words in your password (see this list for pertinent examples)
  • Don’t use characters that are adjacent on the keyboard, such as qwerty or 12345
  • Never use your username, or any variation of it, as your password
  • Never use confidential information like your phone or Social Security number

Know When to Change Your Password

Some businesses require that you change your password on a regular basis – every 30, 60, or 90 days. If any of your enterprise software is configured this way, make sure it’s set up to reject any passwords that have been used in the recent history. Otherwise, many users will repeat the same passwords over and over, or perhaps switch back and forth between two variations.

This common problem is why some experts assert that requiring frequent password changes lead to bad passwords. Because users will tend to make the smallest changes they can that still conform with the password policy – to help their own memory in remembering the password – automated systems can easily guess the new password. This is one of the major password security mistakes most users make.

For most enterprises, regular password changes are unnecessary and self-defeating.

Instead of mandating that users change their passwords according to an arbitrary time interval, focus on requiring password changes when circumstances warrant. For example, if there’s an attack on the network or if a single team member is hacked, all stakeholders should update their passwords.

Never Re-Use Passwords Across Websites

The average user might log into a dozen websites or more on a regular basis. Storing that many passwords in your brain might seem like a truly mind-boggling proposition. Is it necessary? And even if it’s necessary, is it practical? These complaints are evidence of a real issue.

Unique passwords are important because a single successful hack can spread quickly.

If one system – like email, Facebook, or WordPress – is compromised, the same attack can be attempted on other systems the user is active on. When a hacker knows the intended victim’s email and a common password he or she uses, there is no end to the damage potential.

In extreme cases, reusing passwords can destroy your business.

Of course, most people can’t simply store complex strings of numbers and letters in their heads. If a password needs to be written down in the workplace to be remembered, it is compromised by nature. One possible solution for the average person is a password manager.

A password manager effectively stores even the vastest and disparate collection of passwords. There is one challenge, however: The user still needs to develop a strong password to secure that treasure trove of sensitive information. If the password manager is compromised, disaster could befall every account that it helps to organize.

Never Share Your Password

Everyone who accesses network resources in the workplace should have their own account and associated password. Accounts should come with sufficient privileges to access whatever data or features a stakeholder needs. Sharing passwords with colleagues for any reason opens the entire business up to risk. This is even true when the colleague in question is completely trustworthy – since sharing a password with just one person makes a simple oversight twice as likely.

Passwords should never be written down in notebooks, Post-Its, or anywhere else left out in the open. In as little as one minute, someone could steal the information and make it appear as if it had never been there. Rather than suspecting theft, most people will think they simply misplaced the password. That creates a situation where a data breach could happen anytime in the future.

Better Password Security Will Protect Your Business from Potential Data Breach

As so many businesses have learned over the last few years, data breaches can be extremely harmful – and costly. Following password security best practices will keep individual accounts and your network more secure.

Your Managed Services Provider should offer insight into data security best practices. Are you confident your employers are doing everything they can to safeguard your sensitive data?

IT Security Test

Stephen Biasotto
Stephen Biasotto
sb@pegtec.com

Stephen is the Technical Operations Manager at Pegasus Technologies. Stephen consistently seeks ways to improve the quality of products and services Pegasus offers today while developing the technology Pegasus will offer tomorrow.

No Comments

Post A Comment