Many employees are working from home now as an effect of the COVID-19 pandemic, increasing the number of external security risks to employers. The coronavirus influenced a 67% surge in remote work, showing a 43% satisfaction rate with employees preferring to work remotely permanently.
Though these statistics show it's more important than ever to optimize password protection practices, it’s just as crucial to adhere to password best practices in and out of the workplace.
Password Best Practices
A surprising number of people don't put effort into their passwords, even when it guards sensitive information. It may be that many people just aren't sure how to secure their passwords. The following best practices will inform and guide employers and their employees to keep passwords safe.
Implement Two-Factor Authentication
Passwords by themselves are no longer enough. Two-factor authentication is an additional layer of security that requires identity verification by asking for:
- Something users know — like a username and password
- Something users have — like a cell phone
Many platforms that require a login such as emails, CRMs, and the like, have the option of implementing two-factor authentication in the settings. Using two or more authentication processes ensures only people who are meant to have access can get it.
Don't Repeat Passwords on Multiple Sites or Cycle Through Passwords
A surprising number of people reuse passwords regardless of the risks. Microsoft revealed that 73% of users have the same password for work and personal accounts. This is a significant issue because all it takes is an insecure personal account getting hacked for the hacker to pose a potential threat to the company.
Similarly, cycling between a handful of passwords can leave a user vulnerable to hackers. Each time you create a password, or are prompted to update a password, it should be completely new.
Change Passwords When Employees Leave
All shared passwords need to be changed when someone is no longer employed by the organization. This small action saves the company from significant risks and dangers, and keeps unwanted users from accessing private information.
Don't Write Down Passwords
Writing down your password is equivalent to turning your home security alarm off and leaving your door unlocked. It’s a welcome invitation for bad actors to use your login credentials without your consent. No matter how strong your password is, it's no longer secure if it can be copied.
If remembering passwords is an issue, there are more effective and secure alternatives than writing it down. For instance, a password manager acts as a digital safe for passwords and usernames, which employees can access when they forget a password.
When security is easy to use, like having password managers and using a multi-factor authentication app, end-users are more likely to participate in security initiatives.
Never Share Passwords
It's simple, sharing your password (especially when many use the same password for personal and work) compromises every account with that password. Though this may be inconvenient for employees who work on teams together, it’s less inconvenient than having passwords stolen and being locked out of portals.
Create a Password Blacklist
A password blacklist is a collection of insecure passwords that shouldn't be used. Make a list of these blacklisted passwords and share copies with every employee. Passwords that should be included on the password blacklist include:
- Common passwords such as Password, 1234, qwerty, and other similar phrases
- Passwords that too closely linked to a company’s name, address, or similar easily found information
- Passwords or phrases that include employees’ personal information such as phone numbers, birthdays, kids’ names, etc.
Educate Employees Regularly
A constant reminder to employees about password management may seem redundant and maybe even feel unnecessary, but studies plus numerous anecdotes on weak passwords say otherwise.
By continuously educating your employees, you provide them with the knowledge and initiative to implement the best practices in their password creation process. This benefits the organization by putting another layer of security in place, and it benefits employees as they can use these best practices in their personal lives, as well.
Password Mistakes to Avoid
Along with implementing the above best practices, it’s important to avoid some of the common password mistakes that many employees make.
1. Don't Use Common Words or Numbers
Creating a password using common words or strings of numbers is one of the easier ways to have your password hacked and stolen. Common passwords, such as the below, are easy to figure out, and are used by many people.
- password or password1
- 123456 (123456789 is equally insecure)
2. Don't Use Information That is Easily Found Online
Google conducted a study of 2,000 people and found that most people use readily available information for their password such as birthdays, anniversaries, and kids’ and pets’ names, meaning that with a little research, only a few simple guesses can crack most people's passwords.
The problem is that hackers expect a lot of people to use very common passwords like meaningful names and numbers to help with remembering it. These words and number strings are too obvious to be secure, and are very easy for hackers to figure out.
It only takes a glance at your social media profile to gather basic information, so come up with something not readily available.
3. Not Using a Combination of Upper and Lowercase Letters, Numbers and Symbols
Mixing uppercase and lowercase letters, numbers, and symbols is a good way to create complex passwords when combined with other best practices.
An example of combining these characters is: Passw0rd!
Keep in mind that hackers are aware that letters and numbers are commonly switched, so don't assume implementing this one tip without the others is enough to secure your password.
4. Don’t Use a Password, Use a Passphrase
A passphrase is a sequence of words that creates a phrase. Passphrases, like passwords, can include symbols and numbers, and usually have spaces. For example:
- 2 be or not 2 be, that is the ?
- I love 2 eat ice-cream!
Princeton's Department of Computer Science recommends that passwords are a minimum of 20 characters in length, and that they comprise a minimum of two characters sets (letters, numbers, and special characters).
Keeping Passwords Protected In and Out of The Workplace
A good rule of thumb is, if it's easy for you to remember, it’s not a secure password.
There are now better ways to help employees use more secure passwords, which should be taken advantage of when encouraging the use of complex passphrases.
By establishing stricter password guidelines and educating employees on best practices to minimize potential password risks, employers can help protect their network and sensitive information, plus keep their employees safe whether in the office or working remotely.