5 best practices for password security
More and more UK businesses are facing password security breaches – and there are fears world events may lead to a rise in attacks.
According to a new report from LastPass, employees have between 50 and 120 passwords – no wonder we struggle to remember them! Having too many to manage increases the risk of passwords ending up in the wrong hands or being compromised without you knowing.
Read on for some best practices to ensure your employees’ passwords stay secure.
Use a password manager
At Aura Technology, we always say passwords should be longer than eight characters and contain a variety of characters, numbers and special symbols. The best passwords can be difficult to remember, especially if you’re using a unique login for every site (which is recommended), so this is where password managers come in.
A tool like LastPass works across desktops and phones, it can create and store strong, lengthy passwords for you. You do need a master password however to unlock the rest, but remembering one is much easier than learning 50.
The best way to understand how a password manager works is imagine your data is locked or encrypted, and you hold the keys – not the service provider. No credible password manager service will ever record your master password or keep a copy of the encryption keys used to decrypt your passwords. In other words, the application has “zero-knowledge” of the encrypted passwords.
Read more about the benefits of a password manager in our blog.
Enable two-factor authentication
Two-Factor Authentication (2FA) has become much more popular in recent years and for good reason – it adds an extra layer of security to passwords. When your employees sign in to an account online, they have to get through an additional step before they can access it. The user will receive an OTP (One-Time Password) or one-time code sent via mobile, email or an app to confirm that the account owner is trying to access the account. It may mean it takes them longer to get online, but it prevents hackers from accessing your systems if they already have hold of the password.
Sometimes multi-factor authentication is used instead of two-factor, which just means more than two methods of authentication are required. That might be a password, a secondary or one-time code. Face ID or fingerprint scans can also be used as a step to authenticate passwords as it allows a system to uniquely verify a user.
Use passphrases instead of passwords
If your employees struggle to remember passwords, you could recommend they use passphrases. This is a phrase of mixed words with or without spaces. They are longer yet often easier to remember than a password of random, mixed characters.
We suggest passphrases be at least 4 words and 15 characters in length.
You might create a passphrase by using association techniques, such as using words to describe what you see e.g. “Desk lamp computer mug”.
Passwords should be changed – but not too often
Some people believe if you have difficult, unique passwords then you don’t ever need to change them, while others think they need to be changed every few weeks.
We recommend changing them every few months. Some software, like a Windows login, for example will prompt users to change the password, but you may need to remind your employees to do this for their other accounts.
Changing them too frequently means staff may be likely to write them down or store them somewhere anyone can access them.
Communicate your password security policy
As cybercrime is becoming more and more sophisticated, it’s important that your people are up to date on the latest tactics and how best to keep their devices and data secure.
Part of their awareness of password security could be sharing a password policy to ensure that the information reaches your employees.
You might send pop up alerts to their desktops with hints and tips about password security or use emails or social channels to create engaging campaigns about passwords. Don’t forget to make sure password security information is in a prominent place on your intranet too.
For more information about password security or to learn how a managed IT solution from Aura can secure your business, contact us at email@example.com.