Passwords might seem like a small or unimportant detail, but research confirms that password hygiene is a growing and pervasive threat. Poor password practices, unpatched systems, and negligent data handling generate vulnerabilities that cybercriminals are quick to target and explore to either infiltrate the IT environment or acquire additional privileges, referred to as escalation of privilege. Security hygiene is just like hand washing. It prevents malware infections, as well as cyber intrusions and data loss or corruption, so you must establish procedures and policies, and offer regular training, to establish adequate password hygiene.
A high percentage of data breaches is attributed to compromised or weak credentials like passwords, often due to poor management or reuse. So, in what follows, we’re going to address some of the best practices that every organization should consider implementing to resist potential cybercriminals’ efforts to break down your protective digital walls.
Table of Contents
Use Long, Complex Passwords
Imagine the following situation: An attacker knows your password, so they can log into any account tied to that password. Once they’re inside, they’ll try to escalate privileges, moving from one system to another to obtain access to privileged accounts, sensitive data, and critical assets that they can sell, use for further attacks, lock off via encryption and ransom, or openly distribute to ruin your business. The obvious thing to do is make the compromised password useless by replacing it with a new one that the attacker doesn’t know. The password must be as long as possible and as random as possible.
New guidance says you’re better off not asking your employees to change their passwords so frequently. When they update their authentication credentials, people tend to make small, predictable tweaks, such as adding a number or changing a letter, which makes them simple to deduce. Another issue is that employees may find them hard to remember, so they write the passwords down or store them where they can be seen or stolen. Using long, complex passwords is much better than changing passwords again and again. Encourage passphrases that are hard to crack and add another layer of authentication to protect accounts and data.
A passphrase is almost impossible for others to guess since it doesn’t contain or isn’t based on personal information. It goes without saying that passphrases shouldn’t be the same as other passphrases currently in use or contain more than three sequential characters on a keyboard (e.g., 1234 or qwerty). Neither is it recommended to use a single word, backward or forward, from an English or foreign dictionary. Explain to your employees that they should pick several shorter words and include some numbers in the center, after which they should change the capitalization and substitute letters for symbols. For example, BluE19c@tJump88tR33 meets the complexity requirements.
Get A Password Manager
In some cases, you must share passwords to allow multiple people to work without delays, whether they need access to social media platforms, analytics dashboards, or design tools. If someone’s out sick or on vacation, others can step in and keep things running using shared credentials. A password manager for business allows you and your team to securely manage distinct passwords and automatically log them into websites, applications, and other systems. The best password manager is designed to make onboarding easy for individuals or teams so they can access what they need right away.
It’s imperative that your password manager monitors usage patterns and offers details about the authentication credentials themselves, such as whether they’re reused or outdated, ensuring that sensitive data and systems are protected against unauthorized access. Security is the number one priority, so you should get notified if any of your saved passwords have appeared in a data breach. Your password manager should be end-to-end encrypted because it’s the only way to guarantee the information you collect and use to support operations, make decisions, and achieve goals (e.g., improve customer acquisition) stays truly private and secure.
Perform Penetration Testing
Penetration testing is a controlled technical exercise whereby you conduct a comprehensive security validation of your IT infrastructure and employees. Put simply, you use all the tips and tricks available to real-world threat actors to perform a simulated attack on your systems. Armed with a good understanding of the vulnerabilities present in your organization (e.g., exposed password hashes), you can verify your expectations. You can send phishing emails or fake login pages to deceive employees into revealing their passwords; if successful, you can proceed to post-exploitation, where you assess how far you can go with the exploited credentials.
Embarking on a business resilience journey is of the essence, and a penetration test helps measure your ability to withstand a cyberattack, uncovering vulnerabilities across your network, infrastructure, and employees before cybercriminals can. A security incident can be devastating and cause irreparable financial damage, as well as a negative impact on your brand’s reputation. As each organization is different, you must set up a customized business resilience program that meets your specific needs. Once you’ve mapped out your risk landscape, collaborate closely with internal stakeholders and external partners to align on priorities and expectations.
Secure Your Devices
You should definitely secure your devices, even if you use a password manager, because your devices are the gateway to your vault. Always keep your software updated, enable a firewall, and if already available and installed, enable the antivirus to protect your data from malware, including viruses, worms, and ransomware. Employees should use PINs and other forms of screen lock on their phones, especially if those devices are for work-related tasks or contain sensitive information. But equally important is that they don’t plug personal USBs at work since they can transmit malware or even cause physical damage.
The people within your organization should report unusual device behavior and suspected breaches right away to prevent threats from escalating into serious incidents. Even seemingly minor anomalies, like unexpected pop-ups, sluggish performance, or unfamiliar login attempts, can be early indicators of malware, unauthorized access, or data exfiltration. By encouraging a culture of vigilance, you empower employees to become active participants in your defense strategy, so reinforce the message and provide initial guidance if people are unsure.