How to Implement a Strong Password Policy
Follow these 9 tips to protect your business and avoid email compromise
A password policy is an effective way to enforce email password guidelines and help keep your business secure.
Cyber attackers often use lost or stolen credentials to gain unauthorized access to systems and launch cyber attacks. In fact, more than 50% of all cyber attacks originate from an email-based compromise, according to At-Bay security research.
To prevent attackers from gaining access to your business email accounts, we recommend implementing a password policy that incorporates the following strategies to protect your business and avoid email compromise.
Attackers use methods like brute force attacks to gain access to your accounts. In a brute force attack, an attacker runs a program and checks all possible combinations of letters, numbers, and symbols until the password is found.
Every additional character you use in your password exponentially increases the time it takes for an attacker to successfully crack it. We recommend a password policy that requires all passwords have a minimum of 12 characters each.
Adding a mix of numbers, symbols, uppercase letters, and lowercase letters to the password makes it very difficult to execute a brute force attack, which is why long, complex passwords are more secure.
When a large-scale data breach occurs, email addresses and passwords are often leaked online. If you reuse credentials across multiple accounts, and one of them gets compromised, attackers can easily access your other accounts as well.
If you always use a unique password for each account, your other accounts will remain secure — even if one is compromised in a breach. We recommend a password policy that prohibits variations of your existing passwords (e.g., password1, password2).
Many people use names, birthdays, phone numbers, and other personal details in their passwords. While it often makes a password easier to remember, that information is also potentially available online and accessible to attackers.
We recommend using random combinations of uppercase letters, lowercase letters, numbers, and special characters to increase the complexity of your passwords and reduce the likelihood of a breach.
Large-scale data breaches occur on a near-daily basis. The passwords exposed in these breaches are publicly available as a data dump, and users are often unaware if their passwords are exposed.
If you’re a user at an organization where a breach is reported, immediately change your password — even if your account seems unaffected. You can also use products (like Securden Password Vault for Enterprises) that proactively scan the information in data dumps to check if any passwords stored in the product match the passwords exposed in known data breaches.
If you share a username and password with someone over email or text, your credentials can be exposed if their email account or device gets compromised — even if that person never shares your information with anyone else.
If you need to share credentials with another person, we recommend a password policy that requires using a secure method, such as a password manager.
Similar to never reusing the same password for different accounts, you should also avoid recycling old passwords. We recommend a password policy that includes a minimum password age, which requires a specific number of days a password must be used before the user can change it.
Without a minimum password age, users are more likely to change their password multiple times within a few minutes and reuse their previous password.
Periodic password audits can help you ensure everyone on your team is following all of the rules in your password policy. Once you have clearly defined rules in place, establish regular audits and track every team member’s compliance individually.
Multi-factor authentication (MFA) is a security setting that requires you to provide more than one method of verification to gain access. Attackers often use stolen usernames and passwords to access systems and deploy ransomware, which is why adding an additional verification method that cannot be stolen can help prevent an attack.
Implementing MFA provides an extra layer of security, requiring at least two authentication factors to access an account: something you know (password), something you have (a one-time authentication code generated), or something you are (fingerprint).
The most common and safest verification method is an authenticator application, such as Google Authenticator, which is recommended over text messages or phone calls. We recommend implementing MFA for email, internal applications, remote network access, and any external-facing systems.
Writing passwords down on paper or storing them in a spreadsheet are dangerous ways to manage your passwords. Instead, the most effective solution to maintaining overall password hygiene is to use a password manager. A password manager helps you create strong passwords and stores them for you in a secure digital space.
Many of our above recommendations are easy to implement and can protect your business from cyber attackers. However, if you do not have the in-house technical resources to implement these strategies, please contact your IT provider.