Passwords aren’t the be-all and end-all of information security, but they still play a central role in protecting business applications and data. In fact, passwords can also be the weakest link in your cybersecurity framework, especially now that social engineering scammers are out in force to steal login credentials and other sensitive information.
You need a password policy that aligns with the best practices as defined by the US government’s National Institute of Standards and Technology to prevent fraud and identity theft.
#1. Stop enforcing regular password changes
Until recently, common advice was that forcing your employees to frequently change their passwords is an important best practice, but expert opinion has shifted in recent years. The problem with frequent password changes is that people often just reuse the same passwords but add or change one character.
Worse still is the fact that others write them down to avoid forgetting them. Changing passwords is also inconvenient and can get in the way of productivity. Lastly, the practice has never been observed to have a positive effect on security and, as we’re now starting to see, may result in the exact opposite.
#2. Know what makes a strong password
Shorter and simpler passwords aren’t just easier to guess — they can be cracked in seconds using consumer-level computer hardware and some easy-to-find hacking tools. Today’s computers can guess millions of combinations until they find the right one. A strong password doesn’t use words in the dictionary and instead incorporates both lower- and uppercase letters, numbers and, ideally symbols.
If your password is long enough, it will be practically uncrackable, since each extra letter can increase the hacking time exponentially. An 11-character password, for example, takes up to 10 years to crack, while a 10-character one can take only four months.
#3. Implement single sign-on
In the technology world, it’s often said that convenience and accessibility come at the cost of weaker security, but that’s not necessarily the case. In fact, the more complicated a system is, the more likely employees are to find workarounds that compromise security.
Single sign-on systems enable your employees to access all the resources they need for work with one username/password combination. That might sound like a single point of failure, but it makes it much easier to manage data access rights and reduces the amount of administrative work that’s required to keep multiple accounts secure.
#4. Protect against social engineering scams
More data breaches occur at the hands of human weakness than vulnerabilities in technology. That’s because social engineering scammers steal login credentials by posing as people the victim knows. Similarly, malicious websites can be designed to capture sensitive information by posing as sites belonging to legitimate companies.
Some scammers will even ask victims outright in an email or instant message for private information while pretending to be representatives of a real company. Since login credentials are a favorite target for phishing scammers, you should take every necessary step to raise awareness and educate your employees on how to protect their passwords from these nefarious individuals.
#5. Require additional verification
Passwords are convenient, and we’re all used to them. They’re not going away anytime soon, but that doesn’t mean they still have to be the first and last line of defense against attackers. With remote employees and contractors now routinely accessing sensitive information from afar, it’s never been more important to take a multilayered approach to information security. That’s not going to happen if you’re entirely reliant on passwords.
To safeguard protected data and applications, you should always enforce an additional verification method, particularly for people connecting from unrecognized devices or networks. Multifactor authentication includes methods like fingerprint scanners, SMS verification, or facial recognition.
Netcom Solutions offers expertly managed and monitored IT services to businesses wanting to get more out of modern technology. Call us today to learn more about our solutions.