Cybersecurity can be thought of like home security. You can implement the latest and greatest security technology, but none of that will stop an intruder if you leave your keys out in the open. Your corporate credentials can be thought of as keys to your business. An effective security solution will require that your passwords are properly secured so that you can minimize the risk of a bad actor gaining access to your network and stealing your data and your identity.
This article outlines 7 best practices for proper password hygiene. If any of these practices aren’t already part of your organization’s password requirements, you should strongly consider incorporating them into your policy.
7 Password Best Practices
1. Use Multi-Factor Authentication (MFA) whenever possible
MFA is the number one protection against unauthorized account access. This is a process wherein after signing in using your username and password, you are then prompted to enter an additional code to confirm your identity. MFA can be handled with an authenticator app on your phone (preferred), or via SMS or email. The Microsoft Authenticator or Google Authenticator applications are great options and can be found in their respective App stores.
2. Use passphrases instead of passwords
Cybercriminals use advanced hacking tools to crack account passwords. To better counteract that, it’s useful to use a longer and more complex password, commonly referred to as a passphrase. Rather than create something that’s impossible to remember, like “bjTRAznP<NE\4MWt%s2+\g5(”, we recommend you instead use passphrases, an example of which could be “I Love My Job 100%”. Passphrases are easier to remember and can be done in such a way as to meet complexity requirements (Numbers, letter case, and special characters), and due to their longer length, they’re harder to crack.
3. Don’t reuse passwords
You have different keys for every door lock you require access to – passwords should be the same. When cybercriminals gain access to one of your accounts, the next thing they do is begin testing other services to see if you have an account and if you’ve used the same password. To maintain your online safety, never reuse passwords across multiple services.
4. Don’t mix your business email account with your personal email account(s)
Using a single email account for business and personal correspondence is not recommended. Doing so might lead to massive data loss when someone cracks your password. Multiple email accounts allow you to separate all your work emails into a single work account, friends, your family communication in a personal account, and a recreational account for your various website registrations.
5. Observe proper web security when entering your credentials online
Hackers use increasingly sophisticated methods to attempt to steal your credentials. The most common are phishing emails, or malicious links within emails, which when clicked will take you to fake sign-in pages to attempt to trick you into entering your credentials. Be extremely mindful to check who you are receiving emails from, where they are attempting to send you to, and if the website is genuine. If you’re unsure, stop, and seek guidance from a trusted source.
6. Protect your password list
With multiple accounts and passwords, people tend to keep them in one place in a list. Consider using a password manager service in this scenario, as it offers a far greater degree of protection mechanisms, including multi-factor authentication. One major benefit of a password manager is that it also provides an audit of your online presence, so should you be involved in a situation where you need to reset all your account passwords, you have an easy-to-follow list of credentials you need to attend to.
7. Close accounts that you no longer need
Do you still have your MySpace or Yahoo email account that you haven’t logged in to since the year 2000? A great best practice is to recognize when you no longer need to have an account with an online service. Close all unnecessary accounts to ensure your exposure to Cybercriminal attacks is kept down to an absolute minimum. Again, reviewing your credentials in a password manager will help you with this process.
If I practice proper password security hygiene, am I 100% secure?
The short answer is no. Account credentials are held by two parties – yourself, and the 3rd party that authenticates your credentials upon login. Increasingly, 3rd parties become subjects of data breaches, and in some instances (due to poor 3rd party internal security practices) those breaches include leaks of the credentials you have set for their services. If you’re the victim of a 3rd party data breach:
- Reset the credentials associated with the breached account
- Update your password manager accordingly
- Review the account for suspicious activity or changes
- Determine whether you truly need that account to stay open at all
If you’ve followed our 7 Password Hygiene Best Practices above, your risk of a data breach will be kept to a minimum, but there is always a risk that the other party will expose your credentials. It is critical that you only give your data to partners that you can trust to properly protect your information. If you can’t trust that partner or service, think about whether or not you should be working with them in the first place. Or, make sure that you limit the amount of valuable data that you give to them so that you can manage your risk if they experience a data breach.
Looking for an IT partner that you can trust with your data? Visit our IT Security page to learn what we do to protect our clients’ network and information.