Password management is a sore spot for many businesses. Employees hate restrictive and complicated password requirements, but businesses have to keep their systems secure.
Why Be Concerned With Password Policies?
In 2016, 95 passwords were stolen per second according to one study. This leads to all the well-publicized data breaches that are becoming more and more common. Despite this, many technology companies do not enforce strong passwords. It is just easier not to enforce it.
Most users do not have any education on the reasons for password security. Therefore, stealing and selling passwords is one of the most lucrative businesses for hackers.
How To Institute Strong Password Policies
Most IT systems, single sign-on providers and packaged websites have password policy tools already included. It’s just a matter of putting them into practice. Start with clear communication of what a strong password is. Most IT professionals concur that 10 to 15 characters with at least one capital and lower case letter, a number and one or more special characters lower the odds of an automated password guesser landing on your special password.
Avoid Patterns and Duplicate Passwords
It’s also important that users avoid patterns and use unique passwords across different accounts. If a user uses a weak password in one social media site and it is hacked, the first thing a hacker does is try the user’s bank, other social media sites and even work logins.
Avoid Personal Information
It is also important to educate users not to include personal information in their passwords, such as birth dates, nicknames, or family member names. Many systems even have build-in functionality to detect such information in the password.
Disallow Known Weak Passwords
There are huge lists online of bad passwords that are very common. “123456” or “Password123” are among some of the most common. Hackers employ automated systems that check a website with different passwords with just enough time in between to avoid locking down the account. Once they access one account, it can be a cascade effect of entering others if the same weak password is used in many places.
If users are allowed to enter their own security question, it should be made clear they should not put some obvious hint to what their password is. Another mistake is to make questions that have very obvious or limited possibilities for answers. For example, an automated hacking program could guess eye color or car types easier than something like a mother’s maiden name. It’s best to not allow custom questions to be created as they often lead to weaker choices.
If your business doesn’t have a strong and comprehensive password policy, fill out our contact form today and PCH will help you build a bulletproof login system that can protect your business from these threats.