Best practices to prevent a password breach

Is your password “12345”, “qwerty”, or the infamous “password”? You’re not the only one. These passwords are among the most frequently used in 2021.

Unfortunately, your employees are choosing replicable and easily compromised passwords to access your proprietary business data. Most employee passwords fail to follow even the simplest anti-theft precautions, such as creating passwords with a minimum of 12 characters.

In a recent study of 15.2 billion passwords, only 2.2 billion were found to be unique. What’s more, 90% of employee passwords can be cracked in six hours or less. Powerful algorithms can now correctly guess difficult passwords in just seconds!

Image: https://cybernews.com/best-password-managers/most-common-passwords/

With the lack of password strength and advances in cybercriminal technology, password protection is business’ number one internal security risk. This article will show you how to comprehensively keep your employee passwords safe.

Quick Note on Biometrics

Recently there has been a lot of buzz around biometric options such as fingerprints and iris or facial scans. Although biometrics are great to use alongside passwords, challenges with security, cost of installing scanners on each device, integration and maintenance costs, and required information sharing with vendors like Google, Workday, and Salesforce present serious barriers to implementation.

How to Optimize Your Business’ Password Protection

As an IT business leader, the two most important things you can do regarding password protection are set up proper safeguards within your organization and train your employees on safe password practices.

Safeguards For Passwords

Below are some common safeguards you should use with all your password-protected proprietary data. The higher the risk of losing data, the more of these safeguards you should implement:

• Limit employee access to a need-to-know basis: This helps guarantee employees only have company data and account access that they need, when they need it. In addition to controlling access, be sure to block the exporting of data whenever possible. To aid your implementation, assign a delegated safety admin to regularly monitor, provision, and deprovision access to users based on their role. This person should also set team permissions and define the organizational structure for sharing passwords and folders.
• Implement Password Expiration: Automatically schedule required changes to employee passwords.
• Password Masking: Take precautions such as preventing employees from viewing or copying passwords. If you are using autofill functions, ensure your passwords aggregate without appearing.
• Enforce 2 Factor Authentication (2FA): Multi-Factor Authentication adds an extra layer of protection in addition to your username and password. The additional factor is usually a token or a mobile phone app used to confirm your identity. Whether through text messages or biometric verifications like fingerprints or eye/facial scans, it’s important to set up two methods of authentication.
• Analyze Platforms Allowed: Define which platforms are permitted to access accounts. For example, only allow access on a specific browser.
• Implement IP Whitelisting: Prevent employees from accessing their accounts from insecure devices.
• Institute Logout Timers: Set a time limit for how long a user can be inactive (most commonly thirty minutes) before they are automatically logged out.
• Partner with a Password Management Tool: store your employees’ passwords securely, back-up your passwords, and synchronize them across multiple systems. Here are some examples of free password managers: LastPass, KeePass, Password Safe, 1Password

In addition to these safeguards, it is important to make sure employees follow best practices for creating and storing strong passwords. To do this, you must train your employees on the principles explained in the following section.

Best Practices for Passwords

To optimize your security, teach these practices to your employees and enforce them in your company policies.

Use Discretion

Never disclose your employee password to others. Nobody else needs to know your passwords but you—not even your IT professionals. If someone is asking for your password, it’s a scam.

Switch It Up

Use different employee passwords for different accounts. This way, if one account is compromised the others won’t be at risk.

The Longer the Better

Tell your employees to use at least 12 characters whenever possible. Avoid single words, of a word preceded or followed by a single number (ex. 1Password). To easily make passwords longer use sentences or phrases. For example, “cheeseandcrackersyum”. Some systems may let you use spaces: “cheese and crackers yum”.

Don’t be Obvious

Don’t use information in your password that others might know about you or that’s on your social media. Never use your birthday, children’s or pets’ names, or car models. If your friends can figure it out, so will hackers.

Make it Complex

Include upper and lower case letters, numbers, and special characters. For example, “Cheese & crackers YUM!” is more secure than “cheeseandcrackersyum”.

How to Educate Your Team

It’s much easier to avert a breach than it is to recover from one. Once your firm’s sensitive information is stolen through a compromised password, recovery is often a costly and taxing undertaking.
Teaching employees about basic password security practices goes a long way in preventing security breaches, but developers also play a crucial role in this effort. Making sure your developers understand secure coding when it comes to password management is just as important as employees choosing a secure password. If you don’t invest in training your developers about secure coding, your organization will likely end up paying far more in breach recovery costs.
Unfortunately, it’s often too difficult to create a training program internally. Luckily, high-quality training for your developers is available at Avatao. Click the button below to check out one of our password security exercises!