Password hygiene involves more than the password itself. It is determined by a number of different factors.
- The quality of the password itself
- The security of the sites where those passwords are being used
- How the passwords are stored and shared
- How the passwords are entered.
In this article, we’ll look at how each of the above factors affect the strength of an organization’s overall security and how leaders can educate their teams on password security.
What Is Password Hygiene?
Password hygiene is the practice of creating, using, and managing high-strength passwords to maintain high personal and organizational security.
Good Password Hygiene Helps An Organization Avert
- Social engineering attacks
- Data breaches
- Unauthorized access
- Non-compliance with security regulations
How To Improve Different Aspects Of Password Hygiene?
As we discussed earlier, a company’s password health hinges on four primary factors – password strength, security of the sites where they are used, password storage and sharing, and how they are presented during the authentication process.
What Is A Strong Password?
A strong password has some very simple qualities.
- It is long – at least 12 characters
- It combines alphabets, numbers, and special characters
- It is unique
What Constitutes A Weak Password?
Again, some fairly simple attributes make a poor password.
- If a user has the same password for multiple accounts
- It follows a specific pattern such as the combination of a name and a year or a personal name and a city name.
- It follows recognizable keyboard patterns like “qwertyui” or “asdfgh”
- It misses any of the attributes that make a strong password (as mentioned above)
- If a password has been stolen
Security of sites used by employees
How To Know Of A Site Is Secure?
Start by checking the URL bar
- The URL should start with “https” and not “http.” The “s” stands for secure and it denotes that the site is using a Secure Sockets Layer (SSL) certificate to encrypt your data.
- Click on the padlock icon adjacent to the URL to investigate further about the SSL certificate to find out if it is from a reputable source.
- Read the privacy policies of the website to learn about its data collection processes.
- Look at reviews to assess the reliability of the website.
Password storage and sharing
What To Avoid When Storing And Sharing Passwords?
- Do not store passwords in plaintext. Writing them down on paper or pasting all credentials to a notepad file are extremely risky practices.
- A browser-based password manager is okay for personal usage but not recommended for storing work-related passwords.
- Never share passwords in plaintext.
- Do not stay logged into applications or services no longer in use.
Entering The Passwords
The Risk Of Typing In Credentials
A phishing attempt is made on every business twice daily on average. The possibility that an employee could potentially enter their usernames and passwords into a phishing site cannot be ignored.
- Employees can be coaxed into sharing credentials through email in a quid-pro-quo or pretexting attack
- They can be tricked into typing passwords into phishing sites
- Passwords may be stolen through a man-in-the-middle attack or wireless sniffing.
Suspiciousness is not a bad thing when it comes to setting up the password policy for your organization.
Hence, it is best if employees logging into organizational accounts do not have access to the credentials in plaintext. A password management tool can take care of the authentication process.
5 Crucial Steps To Good Password Hygiene
There is a lot an organization can do to enforce better password policies and achieve better password hygiene across the company. These five ideas are the bedrock of strong password security.
1. Implement Two-factor Authentication For All Accounts
Enabling 2FA is a must for all accounts used for work. If an employee or a team uses personal accounts to access organizational data, those too should be protected by the extra layer of security provided by 2FA or MFA.
It’s even better if the employee does not receive the 2FA information via email or SMS because those can be compromised in a cyberattack quite easily.
2. Arrange Security Awareness Training For All
Every employee should receive periodic security awareness training. They should be aware of different social engineering tactics.
When employees have clarity in terms of password policies and ideal actions after receiving a phishing email, it significantly reduces the risk to the business.
3. Enable Secure Password Sharing
An organization should have a mechanism to share login credentials without exposing them to the internet in plaintext.
Some password managers offer the ability to share credentials with team or specific individuals for a stipulated amount of time without actually showing the credentials to the recipient.
With such a password-sharing procedure in place, employees can never be victimized by a social engineering attack aimed at stealing credentials.
4. Automate password generation and resets
If an organization leaves password creation to its employees, it is likely to end up in either of two situations –
1. All passwords are weak and easy to remember
2. Passwords are relatively strong but hard to remember, so employees write them down in plaintext or reset them using the forgot password button very frequently.
Neither of these scenarios is desirable for an organization that is serious about cybersecurity. Cybercriminals are always looking for companies that are lacking in terms of password security.
The idea is to use a password generator to create strong passwords and use a password vault to keep them safe.
5. Use A Password Manager
A password manager makes it easy to follow all password best practices.
- It shields organizational passwords as well as personal credentials with strong encryption, a master password, and role-based access controls
- It allows security admins to follow login trails and grant or revoke access easily.
- Enables secure password sharing, and authentication without typing in credentials.
- It alerts you when a website is insecure or a password is stolen.
- Practically takes social engineering out of the equation
- Apply geo-restrictions for accessing accounts
Password managers make security easy for employees working remotely as well as from the office. Some tools offer dark web monitoring, and some even offer shadow IT monitoring.
With the growing number of passwords that every business and every individual is dealing with, a powerful password manager is essential.
Security practices and password policies are effective only if they are followed diligently. Hence, companies need to find ways of cultivating a culture of security awareness where the best practices come naturally.
It is not very hard either thanks to modern password management and access management solutions. But at the end of the day, the human factor cannot be ignored, and leaders need to help their employees to overcome security risks through education, drills, and periodic assessments.