As a managed service provider, we’re always educating our clients about cyber security risks and best prevention practices, including password management. It’s perhaps the single most important practice to keep your whole system secure from cyber attacks.
Passwords can be the Achilles heel of businesses — and business leaders. Most leaders don’t spend their days logged into every platform their business needs. And when they DO want access, authentication can become an annoyance or obstacle. So many companies we start working with have that one email address and login for everything so their CEO can get in when needed. We get it. You need information to lead. And you usually need it NOW.
But as a leader, you also need to set the tone and protect your business. Here’s everything a CEO should know to make password management more simple, and secure, for their business:
Making Passwords Strong: Best Practices
Simple passwords, reused passwords, passwords that contain some personal information are candy to cyber thieves. Strong passwords of at least 12 characters including an uppercase letter, lowercase letter, symbol and number are just about theft-proof as long as they are single use only. Here are some do’s and don’t for strong passwords:
- DO give each one of your accounts a unique password — single use only. The minute you reuse a password for another platform, you are shooting your cyber security in the foot.
- DO include at least one UPPERCASE, one lowercase, one number and one special character (e.g., !@#$%^&*()_+) even if the platform doesn’t require it. Try to make it 12 characters long for the utmost protection.
- DON’T use any personal information as part of your password. Not your name, birthday, address nor that of anyone in your family including your pet. If it’s easier for you to remember, it’s also easier for cyber criminals to guess it. If you might be tempted to post about something on social media, information your post should not be part of your password.
- DON’T use a word or string of words that can be found in the dictionary. This includes using a word or phrase and adding a number to the beginning or end. Cyber criminals use software that can automatically plug in common words from the dictionary in attempts to guess your password.
- DON’T write your passwords down, save it to a spreadsheet or in Contacts, Notes or any other unencrypted programs. (Password spreadsheets are the first place a hacker will look if they gain access to your device.)
- DON’T save passwords to your browser. (In fact, turn OFF your browser’s Suggest Passwords setting).
- DO use multi-factor authentication, even if the platform doesn’t require it. More on this next.
- DON’T allow your team to share a single login and password for any system; even something seemingly low-risk.
The good news is that there are easy (and some free) password management tools that businesses can use to make it easy to create, remember and share passwords securely.
Change Your Passwords NOW if:
- You’ve been using the same password since you opened an account.
- You have the same password for multiple accounts.
- Your password doesn’t meet the criteria to make it strong.
- You’re concerned it may be compromised.
Start with your business accounts, bank accounts and your mobile carrier (because your phone provides authentication for many accounts).
Embrace Multi-Factor Authentication (MFA)
Yes, multi-factor authentication can slow you down … a little … at first. But it gets easier and faster the more you use it. Before long, you’ll be humming along, authenticating left and right and hardly even noticing you are doing it. Really. The bottom line though is, like it or not, YOU NEED MFA. There’s really no security without it anymore. According to Microsoft, MFA can prevent 99.9 percent of all account compromise attacks.
Here are some steps for embracing multi-factor authentication for your business:
- Let your internal IT team or MSP know that MFA should be rolled out across your networks and systems for all users.
- Make sure those teams have a plan to provide staff training and support to successfully roll out MFA without stressing them out or impacting your ability to do business.
- Lead the way by setting up multi-factor authentication yourself — even for your personal accounts. (We suggest starting with your financial accounts). If you are comfortable with MFA, your team may be less wary.
- Require all your vendor or partner accounts to have MFA enabled. If they don’t offer multi-factor authentication security, consider switching to a provider that does.
- Establish monitoring. Invalid access attempts should be recorded and that information used to improve your cyber security. With teams working from home, in the office and a hybrid of both, monitoring is more critical than ever.
Check out our CEO’s Guide to MFA for more information.
A Guide to Password Management Tools
A password manager is a program that securely stores all your passwords in one place. There are many available, almost all with a free option, followed, of course by a higher or premium option for a price.
You create a “master password” to log in to the manager, then as you need to log in to other systems, the password manager brings up the relevant credentials for each account. You can even choose to have those usernames and passwords automatically entered by the password manager.
Password managers can also create unique, strong passwords for you. All you have to remember is the password to the password manager account (the master password). The password manager account will provide the long character string for all the others. Password managers such as those listed below, PROVIDE END-TO-END NON-REVERSIBLE ENCRYPTION.
Here are some we recommend:
Rolling Out Password Management for Your Team
Whether you are, like me, the CEO of an MSP, a team manager or a client manager, know that you have the right to require a certain level of password security for your employees’ business accounts. Here are some ways to get everyone in the workplace to use strong passwords.
- Train everyone, including non-managerial personnel, about the need and the dangers. Set up rules for your systems that require strong passwords, and let your employees know that any personal accounts accessed from their workstation can put the business at risk as well. Hackers use phishing and other social engineering tools to try to access your data.
- Enforce strong passwords for systems and applications that allow you to control the parameters users must meet in setting a password.
- Lockout users after a specific number of failed login attempts (e.g., three to five) within a certain time frame (e.g., 12 hours). This will help prevent brute force attacks where the hacker simply attempts multiple passwords over and over trying to guess the correct one.
- Require high-risk staff to change passwords periodically. This includes system administrators, superusers and people handling sensitive data. Forget about having every employee change their password every 30, 60 or 90 days. That mandatory rule can backfire, with employees choosing weaker passwords or writing them down to remember them.
- Use one-time passwords (OTPs) for new users (employees) being set up in your business systems or when credentials are lost or breached. OTPs should follow the same strong password guidelines and be changed after login. OTPs are the one type of password that skirts the “never write it down” rule (they can also be texted or emailed). Requiring that the password be changed after the initial login makes sure that only users know their passwords and wipes away any potential issues with the way that password was communicated.
- Force initial or one-time passwords to expire if they aren’t used in a certain period of time (e.g., 48 hours).
- Create and enforce a strict “no sharing of passwords” policy. If exceptions are needed for business reasons, make sure passwords are shared through a password manager. Shared passwords should be changed more frequently as well.
- Change any default passwords that come with systems. Once the program you are adding is installed and configured, disable the setting that allows default account passwords. This prevents hackers from getting the default password through a “backdoor” in your system.
- Store passwords using strong algorithms. Avoid transmitting them as plain text (e.g., FTP, HTTP, SMTP) or using methods that have known security vulnerabilities (e.g., DES encryption, MD-4 hash algorithm). The best method is end-to-end encryption that is non-reversible such as what password managers use.
- Set up a procedure so users report a password change they didn’t initiate. Once reported, the IT team can have the password reset.
- Implement multi-factor authentication across your business. Check out our MFA Guide.
- Change passwords immediately when an employee leaves your company.
Do you need to set up better password management policies and tools for your business? Need more help with other IT issues? Contact us.