No matter how complex and thorough your company IT security is, human users will always find a way to work around protections. If you don’t have a password policy in place, it’s difficult to ensure that your employees are making smart choices. One of the biggest problems is in password strength, with the majority of employees choosing easy to guess passwords and using the same password for everything. Equifax recently hit the headlines when it was revealed a database could be accessed using the username and password ‘admin’. Although it’s easy to joke about these instances, this is no different to a company employee using their first name followed by the year and assuming this is sufficient for security. If you want to keep your company secure, creating a password policy and enforcing it is essential.
Creating and Enforcing Password Policy
Decide what is secure
Although the conventional wisdom seems to be that passwords need to above 8 characters, and include a mixture of lowercase, uppercase, numbers and special characters, this often leads users into the trap of thinking ‘Pa$$word123’ is a strong password. Before creating a company-wide password policy, it’s a good idea to make sure you know what a secure password looks like. You can try this quiz to test your knowledge of password strength.
Update passwords frequently
In addition to guidelines on password length, you should also set a time limit on how long employees can keep the same password as part of your password policy. Changing passwords too frequently can be just as problematic as never changing them, as employees might be tempted to switch back-and-forth between two passwords just to satisfy your password policy.
Decide if password managers are allowed
Some companies swear by password managers as the best way to enforce password policy. While there are many benefits, there’s also the risk that systems could be compromised if one employee’s password manager is breached. If you do decide to use a password manager, it’s important that employees update their access passwords frequently to prevent unauthorised access.
Don’t write passwords down
If your password policy is leading employees to write down long and complicated passwords, it’s time to re-think. Employees need to understand that writing down their passwords is in breach of password policy. Passwords should be long, but they should also be memorable. For example, using a sentence like ‘y3sterd4yicl!mb3dATr33’ is a very secure password, but will be a lot more memorable than a random selection of letters, numbers and punctuation.