Are Your Password Policies Obsolete? 5 Tips for Better Password Management

Passwords are the primary method of securing online accounts and password policies are put in place to help enforce safe practices. However, with the advancement of technology and the evolution of cyber attacks, traditional password policies may no longer be enough to protect your sensitive information.

Importance of Updating Password Policies in a Business

Companies must set strong password policies to protect emails, workflow accounts and systems as cyberattacks evolve. Password policies are rules and requirements that dictate how employees create, manage and store passwords. Below are some reasons why it is crucial to update password policies in a business.

1. Combat Password Attacks
Cybercriminals can use various methods like brute force attacks, password spraying and phishing emails to steal user credentials. Requiring employees to use strong, unique and complex passwords makes it harder for cybercriminals to guess or crack them, reducing the chances of an attack.

2. Compliance Requirements
Many industries like health care, finance and government have regulatory compliance requirements that mandate password policies. These requirements ensure companies implement a strong security posture to protect sensitive information, such as personal data and financial records. Failing to comply with these regulations can lead to hefty fines, legal penalties and damage to a business's reputation.

3. User Education and Awareness
Password policies not only help to protect the organization, but they also help to educate and raise awareness among employees. Updates can refresh people on best practices, like avoiding common password mistakes, not sharing passwords and using two-factor authentication for added security.

4. Reduce Helpdesk Calls and Costs
Weak passwords and password-related issues can cause an increase in helpdesk calls and costs. Employees may forget their passwords, get locked out of their accounts or change their passwords frequently, leading to frustration and downtime. By implementing strong password policies — such as multi-factor authentication, password managers and password complexity requirements — businesses can reduce these issues, saving time and money.

5 Principles Businesses Can Use to Make Passwords More Effective

Weak passwords or poor password policies can expose organizations to significant risks, such as data breaches and financial losses. To make passwords more effective, companies should consider the following principles.

1. Develop a Strong Password Policy
A good password policy outlines the rules and requirements for creating and managing passwords. It should include guidelines on password complexity, length and expiration. Ensure the password policy is communicated to all employees and enforced consistently. A password policy may include:

• Requirements to use multi-factor authentication (MFA): MFA adds an extra layer of security to online accounts by requiring an additional authentication factor, such as a fingerprint or a code sent to your phone. Implementing MFA can significantly reduce the risk of unauthorized access, even if a password is compromised.
  
  
• Implementation of a password manager: A password manager is an app that helps generate, store and manage passwords for multiple accounts. They can also auto-fill login information and generate complex passwords, reducing the burden of remembering various passwords.
  
  
• How often to update passwords: Regularly updating passwords is crucial for better password management. Encourage your employees to change passwords at least every six months and immediately after any suspicious activity is detected.
  
  
• Avoiding dictionary phrases: Hackers with advanced software may scan through thousands of dictionary phrases in numerous languages. Implementing a requirement to avoid dictionary words can lessen the chance a dictionary attack program would affect your company.
  
  
• Using passphrases: A passphrase is a sequence of words or text that is easy to remember but hard to guess. A passphrase can be just as secure as a complex password but has an edge because some people may find it easier to remember.
  

2. Conduct Regular Security Awareness Training
Educate your employees on the importance of password security, including best practices for creating and managing passwords and common password-related threats like phishing and social engineering attacks.

Even the most advanced cybersecurity solutions aren’t foolproof, and a business’s most crucial line of defense is its employees. A workforce well-educated on password-related cybersecurity issues will be invaluable in protecting your business. Investing in security awareness training can prevent many worse issues in the long run.

3. Monitor for Password-Related Threats
While training employees is an important step, no person is flawless. Malicious actors continue to develop more and more sophisticated social engineering attacks, and even a careful employee can fall victim to their schemes. Implementing cybersecurity automation and monitoring can help catch the threats that employees don’t notice.

Keep an eye out for password-related threats, such as brute-force attacks, password spraying and phishing attempts. Implement monitoring and alerting tools to detect and respond to suspicious activity. Well-trained employees combined with threat monitoring and detection tools are an effective barrier against cyber criminals.

4. Apply Password Encryption
If you’re already using a password manager, it’s likely that the tool is using some form of encryption to protect your passwords. Even if you aren’t using a password manager, implementing encryption on your own servers is crucial to protecting passwords. Using strong passwords won’t matter if attackers manage to find your passwords list.

Encryption hides the true passwords from fraudsters even if they manage to gain access to the database. In its simplest form, encryption uses a code or key to transform the passwords into an unreadable string of characters; even if hackers find the passwords, the only way to decipher the code is to use the encryption key. The best course of action is to think about non-reversible end-to-end encryption.

5. Change Passwords When Employees Leave
Often, dissatisfied former employees become your organization's worst enemy. Former employees who still have access to company passwords and accounts are a common source of insider threats, a particularly difficult form of attack to detect. When employees leave your business, whether on good or bad terms, make it a practice to change their passwords or delete their accounts. Update Password Policies for Your Business

Updating password policies is crucial to protect businesses from cyber threats, comply with regulatory requirements and educate employees. By implementing strong password policies, organizations can reduce the risk of attacks and improve overall security posture.

---

Zac Amos is the Features Editor at ReHack, where he covers cybersecurity topics like email security, phishing, and ransomware. For more of his work, follow him on Twitter or LinkedIn.

The views expressed in this article are those of the author and do not necessarily reflect those of StartMail.