One of the simplest ways you can secure business data, accounts and processes is by implementing a good password policy. Unfortunately, passwords tend to be overlooked as an inconvenience rather than a necessary business practice. We use passwords for all kinds of things in business today. But are they being used in a secure way?
Are your passwords secure?
The first thing to think about is how secure your current passwords actually are. Chances are, they're a lot less secure than you think. If you're using something like "Password01" then you should be thinking about changing your passwords ASAP!
Most commonly simple passwords like these are used due to their ease of being remembered. The problem with these is that they are extremely easy to guess and trying to protect business data with something that's easy to guess isn't any better than not using a password at all.
The first thing I hope you will do after reading this is take a good, long look at the passwords you use in business and determine how secure they really are. Chances are they could use changing. Fortunately, the next section covers how to come up with new ones that are much more secure.
How to come up with effective passwords.
While "Password01" is not generally considered a secure password. Here's a couple things that you'll want to keep in mind when coming up with a good password:
- Is it easy to guess? The reason why something like "Password01" isn't secure is because it's pretty easy to guess. The number one rule in password security is don't be easy to guess.
- Don't use personal information in your password. Tying in to the first point of being easy to guess, try to avoid using any personal info in your passwords. This info can include things like names of children/grandchildren, important dates and names of pets. These things can easily be found out about you these days which makes a password that uses these things easier to guess.
- Length > Complexity. While it's ideal to have both, a lengthier password is generally more secure than a complex one. So if a string of random letters numbers and symbols isn't your thing try coming up with a password that's a bit lengthier but easier to remember. A password like "62-CableRaceToken" is going to be easier to remember than something like "Yz%8a4Bs". By that same token however a password such as ">,uD?yp/54^VJ|F4>" is going to be better than either of the previous two.
- Use a different password for each login. This one is the real kicker. You may have the most complex password in the world but it will do you no good if you use it for every login you have. Why? Because the moment that password is compromised, an attacker doesn't have access to just one account, website or login but has access to everything. Thus it is extremely important to use a different password for each of your logins. Also looping back to point 1 try to make them as different as possible from each other. Putting "62-CableRaceToken" for one website and "63-CableRaceToken" for another isn't going to cut it, bad guys these days are smarter than that.
Change your passwords regularly!
Now that you've changed your passwords and everything is nice and secure. It's time to set up a schedule for changing them on a regular basis. You may see this on some websites which force you to change your passwords every so many days. But even for sites and applications that don't require this, it's good practice to change things on a regular basis.
Why? Because the longer a single password remains in use, the likelier it is to be guessed, found or leaked. The security of passwords is actually a function of their complexity and the amount of time that they're used. The more complex the password is and the shorter the time span that it's used, the better it is. That's not to say that you need to use a 100 character password and change it every 24 hours (though that would be super secure!) but you should be changing your passwords at least once every 180 days. I know that sounds like a bit of a chore but if you set things up on a schedule you set aside a block of time to get it done (just like taxes, invoicing, bills and everything else).
Never share your passwords.
In the "obvious but glossed over" category this week is a tidbit about not sharing your passwords. If you find yourself sharing passwords with employees (or if employees are sharing passwords with each other) to get things done then it's likely there's something wrong with the way things are set up. Each person in the business should have their own set of passwords for the things they need access to. This ensures each employee only has access to what they need to in order to do their job. It also makes things easier in the event of an employee leaving the company as you can simply revoke that persons passwords instead of having to change a bunch of them company-wide.
Managing your passwords.
Finally, we come to what is probably the most difficult part of this whole article: Managing your passwords (aka: remembering them). Remember that third password I gave as an example of one that is strong? Yea, me neither. Now try multiplying that by the dozen or so passwords you need and you're going to end up with a heck of a task on your hands.
There are several ways to keep passwords secure and also accessible. Here are a couple of suggestions that might help you out:
1. Use a password manager: There are several different password managers available today. Services like Dashlane, LastPass and RoboForm allow you to put your passwords into a "vault" and then access them when needed by typing in a single "master password". Services like these allow you to cut down on the number of passwords you need to memorize to a single one while still maintaining complex and secure passwords for your logins. The only downside is that you are relying on a third party to store those passwords which could open you up to problems should that company or service suffer security problems of their own.
2. Use Excel: If using a password service isn't your thing you can always create an Excel spreadsheet and keep your logins and passwords in there. Excel files can be encrypted with a master password (just like the password manager above) which will keep your sheet secure. The benefits here are that you maintain full control over your passwords at all times and aren't relying on a third party service to keep them for you. The downsides are that you will need to make sure you keep updated backups available so that you don't lose your sheet and, since Excel is a proprietary file format, you need to actually have a copy of Excel handy to open the file.
3. Keep them manually: Finally, if you want to go old school there's nothing wrong with keeping them in a journal or other hard copy medium. This allows you to keep your passwords "offline" and not rely on any software or third party services and, as long as you can keep your book safe, is probably the most secure way of managing passwords. Unfortunately, this too contains downsides. Managing a book can be a lot trickier than other methods and a book is also a lot easier to physically lose. Still, if you prefer to keep things on your terms this method is tried and true.
A multi-faceted approach.
As you can see, there is a lot more to passwords than initially meets the eye. At first, it can seem overwhelming but by setting up a system and taking a proactive approach you can mitigate a lot of problems that come from weak password use while also ensuring that your business stays secure.
Want help setting up password and security policies for your company?