With cyber hacking on the rise and our personal data at greater risk than ever before, having strong password protection and security education processes in place at your organization is critical. How do you know if the passwords used at home and work are secure enough? Having a detailed password policy and user education system for your team is key to safeguarding your cyber network.
Ensuring Iron-Clad Password Protection
Every time we turn on the news, there is a story about the most recent large-scale network security breach. Of course, most cyber security breaches never make the news. We all know someone who a hacker has victimized. It seems like these online villains are everywhere, just waiting for the slightest opportunity to access a bank account or steal someone’s identity.
These situations are often avoidable by simply following correct password protocols. According to the Verizon Data Breach Investigation Report, 80% of data breaches directly result from weak, reused, or otherwise compromised passwords. There are ways to ensure reliable password protection — the key is to stay educated and up-to-date on new developments in password security so that you can stay one step ahead of cybercriminals.
Tips from the Experts on Password Policy
There are some basic steps we can all follow to secure our passwords. Having longer and more complex passwords that use multiple characters and a combination of letters and numbers is one essential way to keep hackers at bay.
Cybersecurity experts also recommend that we avoid using personal information, such as birthdays or home addresses, as part of our passwords. Any information that might be publicly available or easily accessed by a hacker through our email or social media should never be included in a password.
NIST Password Guidelines
In response to the steady increase in online fraud and data theft, the National Institute of Standards and Technology (NIST) has issued formal guidelines, updated for 2021, to help individuals and organizations increase their cyber security. The NIST, which is a government organization that is part of the Department of Commerce, has some great advice that we’ll detail below:
Stretching Out Passwords
When it comes to password security, length matters. A user-created password must be at least eight characters long, while a password generated by a computer (and therefore totally random) can be 6+ characters long. Most importantly, during the verification process, verifiers should not truncate passwords.
Allowing Fewer Verification Attempts
Organizations should not allow more than 10-12 attempts by those entering a password before locking the user’s profile. The more allowed attempts, the greater the risk that an unlawful user may access the system.
Stop Using Hints!
Password hints seemed like a good idea initially and are beneficial for helping us to remember rarely used passwords. Still, they make it too easy for hackers to infiltrate banking and other online systems. Finding out the name of a family pet or the place where you were born is child’s play for an experienced hacker.
Instagram has been using two-factor authentication for a while now, and it works. The problem is, it’s only an option, and many people don’t even know about it. Adding this handy tool to your online systems means that hackers have to go through several extra steps before they can access your information. Users receive a notification before any harm can be done, and it’s game over.
Start Using a Password Manager
The ingenious idea behind a password manager is that it generates and stores all your passwords (no more making up your own and saving them on a list on your hard drive). The passwords are then stored in an encrypted database that you can access using yet another password. The beauty of this system, though, is that you only need to commit one password to memory instead of several dozen. Think of it as storing all your passwords in a secure vault.
Learn How to Hash
Password hashing is a bit more high-tech but certainly something that any business or organization should be doing to protect its data. Since saving passwords in plain text is a very bad idea. Hashing transforms a password into a random string of characters that a human cannot interpret. This makes life very hard for hackers, who end up with a bunch of scrambled text instead of a company’s tidy list of client passwords.
Discourage or Prohibit Certain Passwords
Some passwords are easier to hack than others. For maximum security, the following are examples of passwords that should not be used:
- A sequence of numbers or letters such as “1234” or “abcd.”
- A series of characters that appear in the same order on a keyboard
- The name of the user or anyone in the user’s immediate family
- The user’s phone number or license plate number
- A birth date, home address, or other user information that can be easily accessed
- Easy-to-guess passwords
- Default or suggested passwords (unless they come from a reputable Password Manager, as noted above)
Having Security Education Processes in Place at Your Organization
If you haven’t already invested in a security education program for your staff, don’t wait any longer. The number one way security breaches happen at work is through employees who unwittingly take a misstep and leave the door wide open for a hacker to step right in. Having a cybersecurity expert come into your workplace can give your staff valuable tools to recognize and halt security breaches in their tracks.
Simulated phishing exercises, for example, are a hands-on way to prep your team for a potential real-life phishing attack. These exercises can be customized to your organization using your in-house systems. It’s a good idea to do a refresher on these exercises with your staff regularly.
Encourage Security Awareness from Day One
User education on cyber security should start on an employee’s first day of work, as part of their onboarding processes, and continue throughout their employment with you. Best practices are frequently updated to meet the most current cyber security threats and challenges, so organizations must stay on top of the latest recommendations and ensure that their team is educated accordingly.
It is also worthwhile to have a formal password policy as part of the human resources or operational policy manual. This must detail the best practices outlined here and how these practices will be implemented and adhered to. Employees should review and sign off on this policy during onboarding and at least once per year after that. Given the constantly evolving nature of cyber security, this policy should be updated regularly.
Suppose you have any concerns about your organization’s cyber security processes or want to learn about better ways to secure your organizational data, contact us today at Edafio. Don’t forget to ask us about the Edafio Security Awareness Program!