While using the recommendations in the first three blogs in this series (password composition, password practices, password policies) are critical, employers have to create a “culture” of security where there is ongoing discussions about maintaining cybersecurity. Employee education is essential. Also know that a company’s compliance requirements may be a factor if they stipulate password complexity and education for their workforce. I’ll also cover password managers at the end.
1. Mandate user training in password complexity: never use passwords that are easy to remember, change passwords often, never reuse or recycle passwords, never use real personal data in passwords or recovery questions, never use dictionary words or patterns.
2. Train employees how to maintain password and account privacy.
3. Recommend to employees to never share passwords, never text or email passwords, use a separate password for each account and not reuse business account passwords for personal accounts.
4. If optional, recommend that employees use multi factor authentication wherever possible.
5. Recommend to employees that they not write down or input them into Excel or Word. Case in point: users who write passwords on sticky notes left on their monitors or desks.
6. Recommend that users not use browser password saving and encryption features. These are notoriously weak.
7. Discuss password provisioning with new employees.
8. Discuss password lifetimes, lock outs and audits with all employees.
9. If allowable under the company’s acceptable use policy, encourage the use of a password manager.
A brief word about password managers
As mentioned in the beginning, I want to say something about password managers. These include software “vaults” like 1Password, LastPass or Bitwarden that can create randomized, complex passwords and store them securely. If SMBs and organizations require one, then they will be on the right track and users will not have to remember their lists, except for their master password. This brings us to their biggest vulnerability: the loss or compromising of the master password. But if users keep that secure, they will be well on their way to having a secure set of passwords.
Tech Kahunas know the needs of SMBs and organizations and will help you with proper password practices and policies.
We’ll stay on top of the threats.
We’ll watch your data.
We’ll review your risks.We’ve got years of this.