Having a strong password policy is essential for any organization to protect its data and systems. Such a policy helps ensure that passwords are difficult to guess and that they use combinations of different characters, numbers, and symbols. It also requires that passwords are changed regularly and not reused.
Additionally, having a policy in place that requires users to follow best practices (such as regularly updating their passwords and using two-factor authentication) can help protect against unauthorized access. Finally, establishing a system where users can reset forgotten passwords securely is invaluable in the event of a breach or data loss.
A strong password security policy is key to preventing any malicious activity from occurring on an organization’s networks and keeping its confidential information safe.
Best practices for creating a strong password policy
Here are some best practices that should be followed when creating a strong password policy:
- Require users to create passwords with a minimum length, including both upper and lowercase letters, numbers, and special characters. The minimum length and breakdown of letters, numbers, and unique characters may vary depending on the program you are using.
- Establish a system that requires passwords to be changed every 6 to 12 months. Enforce this with your staff, and have them provide their passwords to the vCIO, CIO, or IT department.
- Require users to use two-factor authentication for accessing sensitive information or systems.
- Provide guidelines for creating strong passwords and best practices for maintaining them.
- Clearly outline the consequences of weak password security, such as unauthorized access or data loss.
- Ensure that users can reset forgotten passwords securely.
Implementing the policy
Training employees on the new policy should include a review of the password requirements, best practices for creating and maintaining passwords, and any consequences associated with violating the policy. The guidelines should also be incorporated into onboarding processes so that new employees are aware of it from day one.
Regularly monitoring and enforcing the policy is critical to ensure that it is effective. This could include routine password audits, checking 2FA setup on user machines, and ultimately disciplinary documentation of employees who do not comply.
Be sure that any disciplinary action you take is documented in an employee handbook so employees know what to expect if they don’t follow the rules. You’ll need to apply the same series of actions for every staff member who fails to comply, and you should have a member of your human resources team involved anytime you enforce your write-up process.
What are some tools and resources for password management?
Password management can feel overwhelming. Fortunately, there are tools you can use to make the process simpler. Some of these resources include:
- Password managers such as LastPass, 1Password, Dashlane, and Keeper.
- A strong password generator like Norton Identity Safe.
- Two-factor authentication services like Google Authenticator or Duo Security.
- Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
- Security awareness training platforms such as KnowBe4 or SANS Institute.
- Password checkers such as Microsoft’s Security Scanner or Have I Been Pwned?
By using these tools, organizations can ensure that their passwords are secure and their users are trained in best practices.
Case Studies of Poor Password Management Policies
The idea of having excellent password management rules in place is hard to argue with, but many companies let these policies slip as more pressing day-to-day matters arise. To reinforce how essential it is that you institute and follow a password management plan, consider these case studies spanning the last decade.
Target: In 2013, the US-based retail giant Target experienced one of the biggest cyber breaches in history. It was determined that hackers accessed customer accounts due to weak passwords. The attack resulted in millions of credit and debit card numbers being stolen, yielding over $162 million in losses for Target. The company has since implemented stronger password policies to ensure the security of their customer accounts.
LinkedIn: In 2012, hackers accessed more than 6 million user passwords from LinkedIn due to weak password protection. The company had been storing passwords in plaintext, making it easier for attackers to access them without needing to decrypt anything. As a result of the breach, LinkedIn was forced to commit to stronger password policies, such as more frequent password resets and two-factor authentication.
Yahoo: In 2013, hackers gained access to more than 1 billion Yahoo user accounts due to weak passwords. Like LinkedIn, Yahoo had also been storing passwords in plaintext instead of using password encryption.
Equifax: In 2017, bad actors obtained personal information from over 145 million US customers due to weak password management at Equifax. The attack resulted in the exposure of Social Security numbers, birth dates, addresses, and more, costing Equifax over $1 billion.
Marriott International: In 2018, Marriott experienced a massive data breach when hackers were able to access 500 million customer accounts due to weak password management. The attack resulted in the exposure of passport numbers, email addresses and phone numbers, resulting in a $123 million fine for Marriott.
These case studies illustrate the importance of proper password management for businesses. By implementing strong passwords and regularly updating them, companies can help protect their customer data and prevent costly cyber breaches. It is also important to use multifactor authentication whenever possible to further enhance security. Doing so will help ensure that customer information remains safe from malicious actors.
Need help with password management or other cybersecurity issues? Contact TAG Solutions today. We can guide your organization to the right policies for you.