Password security seems like common sense. If you work in IT or security, you hopefully employ common best practices consistently and understand the importance of good password habits. Research continues to show, however, that not everyone understands and applies such best practices. SplashData’s 2013 list of worst passwords still includes such obviously risky passwords such as 123456, abc123, and “password.” Yes, in 2014 many of your employees and users within your critical systems may still be using these weak passwords or otherwise exercising habits that put your data at risk.
Our November Security Tip is designed to help you remind employees in a fun and easy (for you) way that passwords are critical for the security of the company as well as their personal online activity. To keep it simple, our latest tip offers the following best practices:
Don’t Share Passwords
A recent PCMag article addressed tips for sharing passwords exerting that this bit of advice may be outdated and unrealistic. Of course your spouse needs the bank account login info. At work, however, there really is no reason for sharing login credentials. In a regulated environment, failure to control and manage access to data could lead to greater risk of a security breach and even exacerbated fines or penalties should a breach occur.
Whether you operate within a regulated industry or not, your organization needs a password management and access control policy. Be very specific, in a written policy and recurring training, about your expectations for password complexity, management, expiration, and your system’s lockout policy. Allow specific login credentials for every employee with a legitimate need for access and then teach employees to keep passwords private.
Don’t Write Down Passwords
If you walked around your office peeking under keyboards, would you find passwords on sticky notes? Maybe they are not even tucked under the keyboard or in a desk drawer – do your employees rely on sticky notes displayed on the monitor or top of their desk to remind them how to login to your network? Select a password management tool or two to recommend, teach employees how to use the tool correctly, and encourage them often to do so.
Don’t Reuse Passwords
Organizations must set parameters around what can and cannot be used as passwords. Employees must be trained to understand that the password they think is strong and easy for them to remember cannot be used for their personal banking account, Facebook, and for accessing your company data. Passwords are regularly stolen and cracked from mainstream, legitimate sites on the Internet. If your employees reuse a username and password combination, it is simple for an attacker to use that information to access your system as well. To help them maintain unique login credentials, the password manager tool can be a valuable aid here as well.
November Security Tip: Password Best Practices
We prepare reusable monthly security tips like this to help you make employees aware of common security threats and the easy steps they can take to avoid most of them. Feel free to share our latest security tip with your colleagues. To be sure that you don’t miss next month’s tip, click here to join our email list.