Customers fear privacy leaks. In the U.S., 74% of internet users worry about their online privacy more than ever before. Enforcing a strong password policy and encouraging secure passwords are important for data security in such a high-risk environment.
In this post, you’ll learn:
What is a strong password policy?
A strong password policy is an organization’s first line of defense against intruders. It refers to a set of rules you enforce to improve security. These rules encourage users to create strong passwords and store them properly.
Password policies detail:
- How passwords should be stored
- When to update passwords
- How to use passwords
Organizations often enact a strong password policy as part of their security awareness training.
Importance of password security
Businesses should never underscore the importance of password security. They need to protect their users and their information against common security breaches. An organization’s passwords are as strong as its password policy, so enforcing a strong password policy goes a long way in maintaining a baseline security level.
Here are some scenarios that illustrate the importance of password security:
1. Network security
Weak passwords make it easy for cybercriminals to enter your infrastructure.
In 2021, 36 billion company records were exposed — 61% were caused by stolen or compromised user credentials.
You can prevent these password attacks by having a strong password policy.
For example, it would be difficult for cybercriminals to perform a brute force attack – a cyberattack wherein they break into your account by decrypting passwords using powerful computing machines and trying all combinations — if you have a strong password.
A strong password policy includes guidelines for user authentication.
3. Detection of password sharing or reuse
With high password security, you can detect if the users accessing their accounts are the same users who signed up or are sharing passwords and using each others’ accounts.
Secure password guidelines
Now that you know the importance of password security, let’s delve into the characteristics of a strong or complex password.
The U.S. National Institute of Standards and Technology (NIST) released Digital Identity Guidelines organizations can implement for a strong password policy. The NIST recommends these guidelines when creating a secure password:
While enforcing a strong password policy, you need to set requirements that prevent users from creating weak passwords. You can do so by increasing your password complexity by requiring:
- Uppercase letters
- Lowercase letters
- Special characters
A long password is a strong password as each additional character means more variations — making it harder for brute force attacks to break through.
For a strong password policy, you must generate longer passwords. It complements password complexity.
The NIST encourages users to choose long passwords or passphrases of up to 64 characters (including spaces).
Other studies have also shown that password length was a primary factor of password strength.
Password policy: Essentials
For a strong password policy, you need to cover the following security essentials.
1. Set a minimum password length
Require a minimum password length of eight characters, including at least one uppercase, lowercase, number and special character.
Recommend using a passphrase (minimum of 15 characters).
2. Set a minimum and maximum password age
Password age is the time (in days) you can use a password for.
Setting a minimum and maximum password age can stop users from changing passwords too often and using expired passwords correspondingly.
Windows recommends a minimum password age of one day, while others recommend anywhere between three to seven days.
The NIST guidelines previously recommended password changes every 90 days (180 days for passphrases). The latest NIST recommendation is to create a new password when user accounts are potentially threatened or suspected of unauthorized access.
Avoid setting the minimum password age to 0 days (enabling immediate password changes) as some users might change their minds and revert to their old passwords, compromising network security.
3. Enable multi-factor authentication
Multi-factor authentication (MFA) is used to verify a user, application or device by presenting several identifiers.
It provides an extra layer of security by requiring users to verify using an email or a phone number to access their account, reducing the likelihood of cyberattacks.
4. Restrict password reuse
Although most users understand that simple passwords pose a security risk, 40% of people still reuse passwords because creating a complex password takes time and effort. They find it difficult to remember a strong password.
But while recycling is good for the environment, it’s not for data protection. That’s why you should enforce a password history requirement to limit the use of previous passwords. Storing five to ten previous passwords will stop the reuse of favorite passwords.
5. Restrict failed login attempts
For a strong password policy and network security, you must restrict the number of failed login attempts.
Plugins like Login LockDown record the IP address and timestamp of every failed login attempt. If the number of failed attempts from the same IP range exceeds the set point, it locks down the login function.
Password security best practices
As cybercrime techniques continually evolve, it’s essential to update your education and awareness campaigns. Continuously educate both employees and customers with these password policy best practices:
- Never share your password with others.
- Use different passwords for each account.
- Use a password manager.
- Don’t log in from public computers.
- Check whether your passwords have been compromised.
- Create a secure password.
Let’s go over these in more detail.
1. Never share your password with others
You would never share your ATM pin or credit card security code with anyone, so why would you do the same to your password?
Your login credentials protect information as important as the money in your bank account. If you encounter someone asking for your password, it’s a scam. Report it to IT support in your company and don’t share your password.
2. Use different passwords for each account
You use different keys for your house, car or mailbox. The same should be true for your online accounts.
If a hacker obtains your password, they’ll first check whether that password works for other websites. By using different passwords for each account, hackers won’t be able to access other accounts when they hack into one.
3. Use a password manager
Password managers can resolve that. They encourage complex passwords while eliminating the need to remember them as they store passwords and even generate unique, complicated passwords for you.
Popular password managers include LastPass, Dashlane, OneLogin, RoboForm, KeePass and 1Password.
4. Don’t login from public computers
Using public computers poses a security risk. You don’t know if the owner or previous user installed malware or other malicious software to steal your password.
Someone can also look over your shoulder to view your password. Or you might forget to log out of the computer — leaving your login credentials — letting the next visitor log into your account.
Whether your employees are using a public computer or not, remind users and employees to log out of their accounts after use.
5. Check whether your passwords have been compromised
Web browser extensions like Mozilla’s Firefox Monitor and Google’s Password Checkup can show you your email addresses and passwords that have been compromised in a data breach.
6. Create a secure password
- Passwords must be at least 8 characters.
- Passwords must contain a mix of different characters — uppercase, lowercase, numbers and special characters.
- Your password must not contain personal information.
- Do not reuse old passwords.
Final thoughts: Best practices for a strong password policy
With cyberattacks happening left and right, you cannot ignore the importance of password security. Furthermore, it’s your responsibility to keep your customers and their data safe. One way to do so is by creating and enforcing a strong password policy.
Follow @Bluehost for more website security tips.