Passwords straddle the line between easy to overlook and vital. They are a crucial part of how modern businesses operate and protect private data, yet at the same time something easily taken for granted day in and day out. This is why it is important for your business to implement a company-wide password best practices policy.
Poorly crafted and poorly kept passwords can cause even the most advanced security programs to be vulnerable. For this reason, maintaining a good password policy is not simply a matter of individuals being careful with their passwords. It needs to be a company-wide culture endorsed and encouraged at every level.
What is a corporate password policy?
A corporate password policy is a set of habits encouraged, if not mandatory, across a company. Ultimately, maintaining a good password policy comes down to good habits and best practices. Much like brushing your teeth or remembering to put on your seatbelt, password best practices should become second nature to all of your information system’s users, especially in the long run.
8 Best practices for your corporate password policy
Effective best practices deal with both passwords and the people who use them. Here are some best practices for you to consider when creating your corporate password policy:
- Encourage complex passwords
Microsoft recommends that you should use multiple character sets when devising passwords. More and more applications request passwords that incorporate lowercase, uppercase, and non-alphanumeric (symbols) characters. Discourage passwords that use common phrases and terms.
- Encourage longer passwords
Longer passwords tend to be more unique and thus more difficult to crack, as each character introduces another variable. Some, like Microsoft, will recommend a minimum of 8 characters, while others may recommend as many as 12 characters.
- Make your passwords unique
A 2019 Google poll found that more than 52% of users admit to reusing passwords. According to the same poll, only 35% use different passwords for different accounts.
Do not reuse passwords for different accounts and applications, especially outside the business. Even the longest, most complex password can be rendered useless if it gets used more than once and with an application or account that has been compromised. By using unique passwords for every account, the damage can be minimized even if the account is breached.
- Consider two-factor authentication
Two-factor authentication may not be as foolproof as it once was, but it is still a serious roadblock requiring effort from cybercriminals to get around. Two-factor authentication can come in various forms including confirmation texts, one-time-passwords, biometrics, or even a physical fob key. Choose the method that best suits your organization.
- Change passwords
According to some experts, longer and more unique passwords mean they do not need to be changed unless you suspect they have been compromised. Other experts argue for multiple password changes a year, at intervals of 30, 60, or 90 days. The key is likely somewhere in between, depending on the security needs of your organization. Too frequent password changes have a tendency to discourage employees from making unique passwords. It would also encourage employees to store or write down passwords where they can be stolen or copied.
- Consider password managers
Because more complex passwords are safer passwords, coming up with and remembering them can be taxing. This is why you should encourage employees to use password manager systems, if not implement them yourself across your business. Password managers can save passwords securely, enter them into accounts for you, and generate new ones.
- Recognize phishing scams
Learn to be wary of fishing links disguised as legitimate websites. These can appear on social media, messaging apps, or emails. Some websites can automatically download malware onto your device without your permission, whether you give them your personal information or not. The remedy is to avoid clicking on links from emails and text messages unless you are certain of the source and its security. Even then, if anything strikes you as suspicious, it does not hurt to double-check with the sender.
- Educate your employees
Invest in programs to train and educate your employees in password best practices like the ones listed above and how to avoid bad habits. The same training would also teach employees how to recognize scams and phishing attempts. Make sure to continuously maintain such programs, both to educate new employees and to update all employees of new threats.
By incorporating these best practices into your corporate password policy, you will encourage a healthy password culture across your organization.
Connect with PCA to learn how our comprehensive solutions can secure your systems from cyberattacks and more.