“123456” — that’s the password that got 23.2 million people hacked, according to a 2019 study. That’s on top of the 7.7 million people who used “123456789” or the 3.6 million folks who had “password” as their password.
Hackers are already “great” at what they do, but such passwords make their jobs even easier. So much so that they, along with other cybercriminals, will cost the world $6 trillion come 2021.
All that said, there’s no other better time than now to follow the top password best practices. Otherwise, you run the risk of becoming part of the 43% of SMBs that suffered data breaches in 2019.
So, ready to revamp your digital security protocols through the best password practices? Then let’s get right into it!
Educating and Spreading Awareness About the Threats of Poor Passwords
Cybercrime has become the fastest-growing type of crime in the nation. Considering that nine in 10 US adults now use the internet, it’s easy to see why. That’s 90% of the adult population ripe for the picking, or in this case, targeting.
Speaking of which, cloud vulnerabilities will be on the rise this year, as more firms migrate to the cloud. Without proper digital data security, businesses are at a huge risk of breaches.
Either way, most virtual hacking victims end up with lost, damaged, or destroyed data. Their personal and sensitive data can end up in the “black market” and used by identity thieves.
Hackers can also use stolen banking details for their own financial sustenance. In fact, fraud through identity theft has become the most common form of fraud in the US. In 2019, the Federal Trade Commission alone received over 1.7 million fraud reports.
Identity theft aside, hackers also resort to embezzlement and other forms of fraud. Stolen intellectual property, lost productivity, and reputation damage can then follow. All that should be enough to put your employees on their toes.
An even bigger “motivation”, however, would be the possibility of cybercrime litigation. If your clients’, partners’, or suppliers’ data get stolen too, your company is at risk of lawsuits. This is especially true if you don’t have cybercrime insurance.
That’s why you need to educate your employees about all these threats. This is the first key step when it comes to implementing password policy best practices. If they know what they’re up against, they will be more inclined to follow password protocols.
Creating Less Easy-To-Crack Passwords
Nowadays, it takes as little as 39 seconds for hackers to launch an attack. They can do it even faster if they get into an account or a network that uses “password” as the password. That’s why you’d want everyone at work to create complex passwords.
The best passwords are a mix of special characters as well as upper and lower case letters. They’re also lengthy, with at least eight characters in total. These passwords provide strong protection against attempts to breach a network.
Avoiding Vulnerable Passwords
You should also teach your people the basics of “crackable” passwords. These are passwords with consecutive numbers (as in 123456). It’s also super easy to guess passwords with birthdays or the user’s names in them.
Any bit of info that is publicly-known (yes, including their kids’ names) should not be part of a password.
Setting Unique Passwords for Each Account
On average, a tech user handles 27 different discrete online logins. Emails, social media accounts, banking apps — you name it, all these come paired with a login credential. What’s uncertain, however, is if these logins have different passwords.
According to another study, the average employee deals with at least 191 passwords. 191! That’s no doubt too many to remember, which is why most would rather use the same passwords.
This practice is bad for business though, as this means hackers need only one password. All it will take is a single password for them to get access to all the accounts that have the same security code.
That’s why your people should use unique passwords for each account. Meaning, they should have one for their computer and another for each of their email accounts. They should also have a different password for their company platform login credentials.
This helps minimize risks in case one account does get compromised. The more varied passwords are, the fewer accounts that a hacker can get into.
Verifying That Your People Really Have Secure Passwords
The key concern that many people have over complex passwords is that they’re hard to remember. In fact, a study found that one in five users forget their passwords within just a couple of weeks. It’s worse for others, with one in four having trouble recalling a password at least once a day.
That’s why, despite knowing the risks, they still use insecure passwords. As such, it’s still possible that some of your employees are being too lax on their security.
To stop them from doing so, use a program that acts as a password strength verifier. These are apps designed to detect the strength of a password based on certain metrics. They won’t push through the creation of a password that will not satisfy their metrics.
Making Complex Passwords Easier to Remember
To make it easier to remember complex passwords, use phrases or sentences. They can then switch out some of the letters with numbers or special characters.
Let’s say the phrase password is “I am this PC’s user”. The password can then look something like “1@mth1sPC$uS3r!”. That’s a lot harder to guess than “I am (insert your employee’s name here).
Automating Password Changes
Changing passwords at least once a month should become mandatory at work. There’s also an app for this, which will help you ensure that your people do change their passwords. The best programs can even detect if the new password is similar to the old one.
Setting up Multi-Factor Authentication (MFA)
Every time your employees go online, they’re at risk of getting exposed to over a million types of malware. These malicious files can then worm their way into and infect your company’s network.
To help lower these risks, set up multi-factor authentication on all company devices. MFA is a more robust security system than its predecessor, two-factor authentication. With MFA, users need to enter more than just one password.
Your employees would still need to key in their usual username and password. After this, MFA would ask them to go through a few more verification steps.
One way is by keying in a code that they receive through their smartphones. Another is to answer a security question. The system may also ask them for a fingerprint or to undergo facial recognition.
The more security steps there are, the harder it will be for hackers to get into your systems. They may be able to get through the first password, but it’ll be harder for them to try “reproducing” a fingerprint. It’ll be even more difficult for them if you set up facial recognition.
Keep in mind that many of these criminals are opportunists. They target anyone, but they’re more likely to prioritize those who make their work a lot easier.
Minimizing Log-In Attempts
Since it’s so easy to forget passwords, some people will need several tries to get into their accounts. This is fine, but make sure that you limit these “attempts”. This will help protect your business from hackers posing as your employees.
One way to do this is to have your company’s devices and accounts set to have limited log-in attempts. For instance, you can set this restriction to three attempts of unsuccessful log-ins. In this case, three failures will trigger the devices and accounts to lockout.
Restricting Access to Sensitive Databases
Restrict access to databases that house private and banking information. These include social security numbers and banking details. Just as private, however, are home addresses and personal phone numbers.
By restriction, we mean allowing only a few people to have access to these databases. The fewer who know the login credentials for these databases, the lower your risks of hacking. Moreover, it’ll be easier to determine who may be responsible for the attack.
Consider delegating access only to top-tier or department managers. Be sure to also conduct regular re-evaluations of the individuals who have access to them. Determine if and why exactly they still need access to these databases.
Changing the Passwords of “Privileged Accounts” More Often
Privileged accounts include the above-mentioned databases. For these ones, make sure that you change the password right after someone has accessed them. This will help further reduce the risks of unwanted and potentially dangerous breaches.
This may seem tedious, but if you have a managed IT solutions team, this will be a breeze.
Keeping Up-To-Date of Password-Related Activities
You should also keep an eye on all activities that occur within your company’s databases. This is especially true for attempted and successful log-ins to privileged accounts.
You can start by installing activity and password monitors in your business’ network. Go for programs that come with real-time monitoring and daily reporting. These reports will give you details of accessed accounts and who did the accessing.
By having access to such information, you’ll know who to get in touch with if a problem occurs. This will then help save you time as you no longer have to interview each of your employees.
Investing in Managed IT Solutions for More Secure and Manageable Passwords
As a business owner, you already have a lot of repetitive admin tasks on your plate. These tasks, by the way, cost employers around the world $5 trillion in lost productivity each year. While you should educate your people about security, you likely don’t have time for even more IT tasks.
Managed IT service providers can help you establish your overall security protocols. They can help you curate an effective workplace password policy. They can also teach your people the password best practices they should observe.
These IT specialists also provide you with more than just a fix-break approach. After all, their goal is to prevent the “breaks” from happening in the first place.
In this way, they allow you to be as productive as possible, with fewer worries about getting hacked. You can hire them for every IT-related aspect of your business, or you can choose them solely for IT security.
One way that these IT pros can help is by setting up your network and systems with password protection. You can have them install or even create a custom password verification tool. You can also delegate the task of password renewal and MFA activation to these experts.
Moreover, your dedicated IT security team will carry out activity monitoring for you. They’ll keep track of everyone who accesses databases and monitor suspicious activities. Through constant tracking, they can prevent breaches before they happen.
While they aim to prevent disasters, they know that there’s still a risk of such events happening. That’s why IT managers will also help you enforce a disaster recovery and data backup plan. With this policy in place, you have higher chances of restoring your business back to normal.
Observe and Implement These Password Best Practices Now
There you have it, your ultimate guide on the password best practices to enforce ASAP. You want to start now, considering that hacking isn’t your only cybercrime risk. Ransomware attacks, for instance, occur at a rate of one case per 14 seconds.
That said, the longer you put off upping password security, the higher your risks are. Whereas the sooner everyone follows these practices, the safer everyone’s data will be.
Ready to make your company’s digital environment safer? Then please feel free to get in touch with us now! We here at IMPACT will be happy to answer any IT security questions you have.
