Password Management for Business
Norman Begg, Product Manager, my1login
on 02 Sep, 2014
A data security breach isn’t something that only happens to other businesses: tens of thousands of websites around the world are hacked every day with each breach costing UK SMB’s an estimated £35,000 to £65,000. The tools and equipment available to hackers today is far more powerful and sophisticated than before, massively improving the success rate for attacks.
When it comes to business security, individuals are the weakest link. With the trend towards the use of more cloud-based applications, the number of passwords that need to be remembered is ever increasing. It is therefore no surprise that poor password practices by employees represent the main causes of data breaches in business. In fact, 65% of all data breaches are caused by poor password practices or employees being successfully phished for their password details.
With an increasing number of passwords to remember and manage, employees introduce practices to maximize convenience. These practices include using simple passwords that are easy to remember, using the same password for multiple business accounts, writing them down, storing them in their phone, in spreadsheets. All of these typical practices make a business much more vulnerable to a variety of attack vectors employed by hackers.
What can your business do to mitigate the risk of being hacked due to employees’ weak password practices? Here are my guidelines on how you can keep your business safe through use of strong passwords and good password practice while mitigating the risks of employees being socially engineered.
Make your business passwords strong
- Ensure that business passwords are at least 14 characters long. It may sound excessive, but it is necessary to make passwords difficult for hackers to crack. Mnemonics can be used to help make complex passwords easier to remember, but consider having your employees use phrases instead of short, complex passwords as these are typically more secure and easier to remember.
- Ideally passwords should contain some complexity, such as including uppercase & lowercase letters, numbers and symbols. However, it’s more important to have a longer password than a shorter, complex one.
- Avoid the use of dictionary words or common names, and avoid using any personal information eg. Dates of Birth, pet names, family names.
- Do not replace ‘i’ with a ’1′, or ‘a’ with a ’4′ etc. These are well-established password tricks that any hacker will be familiar with.
- Avoid sequences or repeated characters as patterns undermine the strength of passwords.
Augment strong passwords with good practice
- Educate your employees to ensure they don’t use the same password on multiple sites.
- Do not allow passwords to be written down or stored in the notes section of phones.
- Do not let employees store passwords in Word or Excel. Even if those files are later deleted there will still be a recoverable imprint of them on the computer, long after it is sold or donated to a recycling company.
- Do not allow employees to email passwords to themselves or each other. Emails can be read by the provider of the service.
- Do not feel the need to regularly change strong passwords. A very strong password that is used for a long time is more secure than a weaker password that is regularly changed for a similarly weak password. Enforcing regular changing of passwords can often result in employees adopting weaker passwords to make them easier to remember.
Educate employees to mitigate the risk of them being socially engineered
Ensure that your employees:
- Do not trust unsolicited emails asking for personal information, or that ask them to click links to then verify sensitive business information. Always visit the website or service directly.
- Never give out password details over the phone.
- Do not use email links to visit banking or other high value websites.
- Be aware of website address changes for sites in which you have to enter private information. If in doubt, don’t enter your details.
- Check for https and the padlock symbol on banking and other secure websites. If it doesn’t have it, don’t use it.
- Always report fraudulent or suspicious e-mails to the service they purport to be from, forwarding the website address so it can be checked.
- For websites that use anti-phishing images make sure that image is always the same. If it ever changes, you’re not on the legitimate site.
Following these guidelines will help protect your business from suffering a data breach. Encouraging the use of strong passwords and augmenting this with strong password practices from employees will make it extremely difficult for hackers to successfully gain access to business accounts. Training employees in how to spot phishing and social engineering attacks will further mitigate the risk of employees inadvertently handing over sensitive business passwords to hackers.
my1login provides software that enables a business to securely manage its passwords.