Your password is among the first line of defense stopping hackers from accessing sensitive information or making changes. However, a password is only useful if a hacker cannot figure out what it is. Because of this, your business must have strong policies in place regarding password testing and management. Just remember that even with these policies, you should never rely solely on the password to protect your network or information.
Best Practices That No Longer Apply
Keep in mind that just like every other element of cybersecurity, password best practices are constantly changing. Because of this, some of the best practices that applied several years ago will no longer protect you. Back in 2003, the advice came out to choose a word that you could remember and replace letters with symbols, such as swapping “a” for “@.”
While this information was considered reputable at the time, the person behind the suggestion admitted in 2017 that he had actually made a mistake. In fact, hackers now look for common substitutions like these, making a password with a letter swapped for a symbol no more secure than it would be if you left it in the original form.
Consider Passphrases Instead of Passwords
Recent recommendations from the U.S. National Institute of Standards and Technology (NIST) indicate that a passphrase is a more secure option than a traditional password. According to this guidance, you should try to come up with a unique passphrase that you will remember due to its importance, but others are unlikely to know. Common best practices related to this suggest making the password up to 64 characters, which can include spaces.
Use Symbols from Passphrases
An alternative for those who do not want to type in an entire passphrase is to come up with a unique phrase that you are likely to remember but others will not. Then, include the first letter of each word within the phrase to create your password. Since most hackers and hacking systems look for actual words, not nonsense strings of letters, this type of password is hard for computers and people to crack but easy for you to remember.
Consider a Password Manager
Many people end up selecting weak passwords or repeating them across platforms/accounts because they do not feel up to the challenge of memorizing these passwords themselves. An excellent alternative is a password manager. This works just as well for individuals as it does for businesses, as the manager will create and store secure passwords for you, only requiring you to remember a single one. In this way, a password manager lets you always have secure, strong passwords without the stress of having to remember them.
Don’t Require Password Changes
It has been a common practice for years to require periodic changes of passwords at varying intervals. However, the NIST recently advised that policies that require password changes are bad for your security. This is because users will typically either repeat an old password or make a minor adjustment to a previous one. Even if you prevent them from reusing passwords, employees will find a way around this and do so anyway. This means that despite following your policy, the passwords will be easy to crack.
The takeaway is that instead of requiring password changes every three months, six months, or at your chosen interval, only require them in cases when the password is compromised or there is a potential threat.
Blacklist Certain Passwords
Even with changing guidance for password testing and management over the years, one thing has remained the same: You should prevent users from choosing certain passwords. Hackers will typically start a password-hacking attempt by trying the options in a database that has the most popular passwords, those that have been cracked, or popular words. Because of this, your company should create a blacklist of passwords that are likely to be in a hacker’s database and automatically prevent employees from using those.
Limit Failed Login Attempts
When it comes to passwords, you should also place a limit on the number of failed login attempts that someone can make in a row. This will help stop brute force attacks or dictionary attacks where hackers simply try a lengthy list of potential passwords until they find the right one. When the limit is reached, require some sort of additional verification to gain entry to the account or data in question. Just remember to let employees know that this policy is in place, so they can get assistance logging in before they reach the maximum limit.
Include Password Auditing
Do not forget to include password auditing in your policies as a form of testing. This is your chance to ensure that everything related to passwords is correct in the system with no unauthorized access. You want to be able to check that stored passwords meet your requirements, who has accessed passwords, and that the stored passwords are actually accurate. You also need a method of contacting someone responsible for the passwords if anything unusual occurs.
Stay Up to Date on Password and Hacking Technologies
There is an incredibly good chance that even the latest best practices in use right now that are recommended by top cybersecurity firms will become obsolete in a few decades. After all, hacker-related technology advances just as quickly as any other tech. Because of this, you must make a conscious effort to always remain abreast of the latest guidelines when it comes to creating passwords. You should also remember that because of changing technology, passwords are not foolproof, which brings us to a crucial final point.
Always Combine with Two-Factor Authentication
Take all of the above policies for password management and testing into account, but do not let the password be the only requirement for entry to your network or system. Instead, opt for something more secure, such as two-factor or multifactor authentication. This can be as simple as requiring users to enter a code sent to their email, phone, or an authenticator application in addition to their password.
You should require this additional level of security for important changes or access to sensitive information. Other options include requiring a physical key to be input in addition to the passport or some sort of biometric data, such as a thumbprint.