The issue of employee passwords is often a challenging one for businesses around the world but can’t be ignored.
According to a report from Verizon, around 81% of hacking breaches experienced by companies are caused by weak or stolen passwords.
Maintaining password policy best practices in your company is essential to help mitigate the risks.
Table of contents
The importance of password security in the workplace
Employee failure to comply with its best-practice password policy can lead to many major issues for companies, including:
- Expensive data breaches
- Loss of sensitive information
- Loss of money
- Account takeovers
- Exposure to destructive malware
- Insider threats
- Reputational damage
- Legal problems
- Failure to comply with regulatory requirements
The report found that 31% use their child’s name or birthday, 34% use their spouse or partner’s name or birthday, 37% use the name of their employer, and 44% reuse passwords associated with both work-related and personal accounts.
The Keeper Security report also found when it comes to enterprise password security, employees aren’t as security conscious as they should be.
Some 57% of employees say they write passwords down on sticky notes, 55% save passwords on their phones, 51% save passwords on their computers, and 49% save passwords to the Cloud. And 62% share their passwords insecurely with unauthorized parties!
The COVID-19 pandemic and the increase of employees working remotely some or all of the time has been exploited by cybercriminals, with password exploitation one of the major challenges during this time.This highlights the need for organizations to have strong password policies in place.
The costs are enormous – according to IBM the average cost of a breach of credentials to a company is around $3.92 million.
10 password policy best practices to implement in your organization
What is a password policy? Basically, it’s a set of rules around passwords your organization can enforce to keep your IT systems and your company’s data safe. Having a strong company password policy in place is one of the first lines of defense your organization has in its fight against cybercrime. It is a fast and easy way to enhance cybersecurity in the workplace.
If your company currently doesn’t have a corporate password policy, it’s time you developed one. And if you do have one already, you should review it to make sure it is up to the task of helping to protect employees against modern cyber threats and update it accordingly.
Some of the best password policy recommendations include:
1. Encourage employees to use unique passwords
It’s strongly encouraged that people use unique passwords for every account that they create. Unfortunately, this isn’t always the case.
A Google Online Security survey found that 52% of people use the same passwords across all accounts.
If a password is breached on one platform, that puts the user at risk of being breached everywhere.
More than 555 million passwords have been published on the dark web since late 2017, which shows the extent of the problem.
2. Insist on complex or long passwords (or both!)
With computers becoming more powerful with higher processing speeds, brute-force attacks where hackers test endless combinations of characters until they find the correct password, have been more and more effective. Your company password policy should require that long and complex passwords are used to access your systems.
According to Scientific American, a 12 character password is 62 trillion times more difficult for cybercriminals to crack than a 6 character one. And the strongest password is a 16 character one derived from a set of 200 characters.
3. Don’t allow employees to reuse passwords
To ensure security, passwords should be used once only. Reusing passwords is problematic if a password has ever been compromised in the past.
4. Passwords should be changed – but not too often
Some experts believe if you have difficult, unique passwords then you don’t need to change them unless compromised. Others believe you should change the password several times a year.
Traditional requirements to change passwords every 30, 60, 90 days have the effect of creating weaknesses in the system, not strengths.
People are less likely to use long and complex passwords if they have to remember a new one every few months. They’re also more likely to write them down or store them somewhere where third parties can access them.
5. Have continuous education and awareness
As cybercrime is constantly evolving and becoming more and more sophisticated, it’s important that your education and awareness campaigns also evolve. Password hygiene education shouldn’t just be a one-time thing: you need to continually remind employees about password security in the workplace and let them know when new threats emerge.
6. Encourage the use of password managers
Because password combinations of complex lower and uppercase characters, special symbols and numbers can be difficult to remember, you don’t want people writing them down or storing them somewhere insecure. A password management system can help. These systems work by storing all the passwords you use and rely on one strong master password to keep them all secure.
7. Re-evaluate the threshold for failed login attempts
Many systems lock accounts when there have been a sufficient number of failed login attempts reached. Often the threshold is quite low and will only seek to frustrate users – particularly if they have legitimately forgotten their long and complex password.
This type of negative experience for the user can lead them to use more easily compromised passwords in the future. So while you shouldn’t get rid of the threshold altogether, you should make it a more reasonable amount of attempts, such as ten, before people are locked out of their accounts.
8. Forbid password sharing
Passwords need to be confidential in order to be effective in guarding sensitive information. Therefore, employees should be prohibited from sharing their passwords with anyone – even colleagues. It’s important that the reasons for this are clearly outlined in your corporate password policy.
9. Enable two-factor authentication
It’s a lot harder to compromise a password if there is a two-factor authentication requirement attached to it. By adding the second factor – such as an SMS being sent to a device with a one-time code that needs to be included in order to proceed – it is much more difficult for hackers to gain access to systems unless they have also managed to steal the device where the authentication is sent.
According to Microsoft, users who have multiple-factor authentication on their accounts are able to block 99.9% of automated attacks.
10. Consider getting rid of passwords altogether
According to the World Economic Forum (WEF), the COVID-19 pandemic has strengthened the case for organizations to ditch passwords completely.
New technologies such as biometrics, device attributes and behavioral analytics can help to validate someone’s identity without the need to type in a password. The WEF says that going “passwordless” will greatly boost security in companies and eliminate the risk of compromised credentials.
How to communicate your corporate password policy
It’s important to communicate your company password policy in a variety of ways to ensure that the information reaches your employees. Messages sent multiple times in different formats are more easily retained.
Consider the following methods when communicating about password security in the workplace:
- Send pop-up alerts to desktops with hints and tips about password security
- Create screensavers and corporate desktop wallpapers with best practice requirements
- Use digital screens in your organization to create engaging and visually appealing campaigns about password hygiene
- Use the corporate login screen, where employees enter their credentials, to deliver information about password security
- Include password hints and tips in your internal newsletter
- Make sure password security information is in a prominent place on your intranet.
- A scrolling ticker can help you to send updates about password requirements or ongoing issues
- Quiz your employees’ password knowledge by running surveys and quizzes to see how much they know.
Passwords for many organizations are the only thing standing between their precious data and criminals having access to it. Keeping abreast of best practice recommendations for creating and maintaining passwords and having a strong password policy can help to minimize the risk of harm.
Frequently asked questions
What are examples of password policies?
Some of the common password policies that companies use include:
- Requiring that passwords contain a mixture of lowercase and uppercase characters
- Passwords need to be a certain length
- Passwords need to contain a mixture of lowercase, uppercase, numbers and special characters
- Passwords need to be changed on a regular basis
- Passwords cannot be the same as a previous password.
What is the recommended password policy?
The recommended best practices for password policy include:
- Requiring a minimum password length
- Establishing a password history policy where at least the ten most recent passwords are remembered and cannot be reused
- Passwords must meet complexity requirements
What is the purpose of a password policy?
A password security policy is a set of rules that dictate the ways passwords must be created in your organization in order to prevent your systems from being compromised and your data stolen. It prevents your users from choosing weak passwords that can be cracked easily.
What is the importance of having a strong password policy?
Having a strong password policy in place in your organization will help to protect your systems and data from a range of different outsider threats and attacks. It will keep you ahead of hackers and bots that have been designed to guess passwords.