Gone are the days when a good password alone gave you cybersecurity. But if your password is weak, overused or contains personal data, the best cybersecurity system in the world can’t help you. That’s why we’ve put together this password management guide. Use it for yourself, share it with your teams or even create a policy for your business. This password guide outlines what you need to know.
What Makes a Password Strong?
When you are looking to create a new password or update an old one, here are some dos and don’ts to keep them strong.
- DON’T reuse the same passwords on multiple accounts. Make unique passwords for each account.
- DON’T use any part of your name, birthdate, address, pet name or other personal information. Anything that helps you remember your password also makes it easier for others to guess it.
- DON’T use a word or string of words that can be found in the dictionary. This includes using a word or phrase and adding a number to the beginning or end. Hackers have software that can automatically plug in common words from the dictionary in attempts to guess your password.
- DO include at least one UPPERCASE, one lowercase, one number and one special character (e.g., !@#$%^&*()_+). DO this even if the platform doesn’t require it.
- DO use passphrases. These are groups of words with special characters or numbers interspersed to make them non-dictionary terms, but easier to remember. They don’t have to be long. Consider the passphrase “/\Gr8tPw0rd!” It is 12 characters, has upper and lowercase letters, numbers and special characters, without using words found in the dictionary. And it is memorable.
You may run into advice saying that those last two guidelines aren’t necessary anymore (including specific character types and using passphrases). Even Microsoft recently came out on the side of simplicity, reasoning that long, complex passwords are harder to remember and you’ll be more tempted to write them down or use the same password on multiple sites. But, at Aeko, we still recommend the longer, stronger passwords for two reasons:
- Most cybersecurity frameworks have password requirements that include longer passwords and specific character types. So, if you are in a high-compliance environment, you will need to follow those guidelines.
- Companies like Microsoft are giving the “simpler” advice along with the direction to use multi-factor authentication (MFA). But MFA isn’t an option on all sites and platforms, leaving you with just a weak password for protection.
Once you’ve created the perfect password, there are a few more DON’TS to consider:
- DON’T write it down
- DON’T save it to your browser (in fact, turn your browser’s suggest passwords setting off)
- DON’T save it in a passwords spreadsheet (it isn’t encrypted and it’s the first place a hacker will look if they gain access to your device)
- DON’T save it in Contacts, Notes or any other unencrypted tools
For better ways to manage passwords, check out these Password Management Tools.
When to Change Your Passwords
Change your passwords RIGHT NOW if:
- You’ve been using the same password since you opened an account
- You have the same password for multiple accounts
- Your password doesn’t meet the criteria to make it strong
- You’re concerned it may be compromised
Start with the accounts that you’d lose the most if they were hacked, like your business accounts, bank accounts and your mobile carrier (because your phone provides authentication for many accounts).
Password Management Tools
A password manager is a tool that securely stores all your passwords in one place. You create a “master password” to login to the manager, then as you need to login to other systems, the password manager brings up the relevant credentials for each account. You can even choose to have those usernames and passwords automatically entered by the password manager.
Password managers can also create unique, strong passwords for you. And there’s no need to remember the long character string because the password manager does it for you. From the user’s standpoint, the password manager works a lot like saving passwords to your browser with one HUGE difference: Password managers store your passwords with end-to-end non-reversible encryption.
|Bitwarden||Bitwarden For Business|
|Dashlane||Dashlane For Business|
|Zoho Vault||Zoho Vault Teams|
Password Management for Offices and Teams
As a business owner, IT team or manager, you have the right to require a certain level of password security for your employees’ business accounts. Here are some ways to implement strong passwords in the workplace.
- Train your employees about the need and the dangers. You can of course set up rules for your systems that require strong passwords, but your employees’ personal accounts can put the business at risk as well through phishing and other social engineering attempts.
- Leverage application-side settings that enforce strong passwords. Many business systems and applications allow you to control the parameters users must meet in setting a password.
- Lockout users after a specific amount of failed login attempts (e.g., three to five) within a certain time frame (e.g., 12 hours). This will help prevent brute force attacks where the hacker simply attempts multiple passwords over and over trying to guess the correct one.
- Don’t force general users to change their password every 30 , 60 or 90 days. Frequent changes can backfire, with employees choosing weaker passwords or writing them down to remember them. Superusers, system administrators or people handling sensitive data should still be required to change passwords periodically.
- Follow the same strong password guidelines when you are creating initial or one-time passwords for team members. Initial or first-time passwords are when you have a new user (employee) being set up in your business systems. One-time passwords usually happen when a user’s password is manually reset because it was lost or breached.
- Require that initial and one-time passwords be changed after login. These passwords are created by another team member and can sometimes be written down, texted or emailed. Requiring that the password be changed after the initial login makes sure that only users know their passwords and wipes away any potential issues with the way that password was communicated.
- Force initial or one-time passwords to expire if they aren’t used in a certain period of time (e.g., 48 hours).
- Create a strict “no-sharing of passwords” policy. Where exceptions are needed for business reasons, make sure passwords are shared through a password manager. Shared passwords should be changed more frequently as well.
- Change, then disable default account passwords. Some systems come with default passwords. When this happens, change the password as soon as the system is installed and configured. Then disable the default password once the admin user passwords have been created. This prevents the default password from leaving a “back door” into your system.
- Store passwords using strong algorithms. Avoid protocols that transmit them as plain text (e.g., FTP, HTTP, SMTP) or that have known security vulnerabilities (e.g., DES encryption, MD-4 hash algorithm). The best method is end-to-end encryption that is non-reversible.
- Set up notifications of a password change or reset and a procedure for users to notify their IT team if they didn’t initiate the change.
- Implement multi-factor authentication across your business. Check out our MFA Guide.
- Change passwords immediately when an employee leaves your business.
2021 Ransomware Response Checklist
Know what to do if you are hit with a ransomware attack! Get this free, easy-to-follow checklist to post and share with your team.