Are Your Password Management Practices up to Par?
Passwords are a fact of modern business but often aren't managed well. Here are some tips for creating a business culture conscious of password security.
Join the DZone community and get the full member experience.Join For Free
Doing business in the modern world means creating accounts and passwords weekly and sometimes daily. So what are the best password creation and management practices for businesses? Here's a look at the essentials and tips for getting the most from them. Unfortunately, cyberattacks are on the rise across every industry, but your business doesn't have to be a victim if it knows how to protect itself.
Why Do Businesses Need the Best Password Practices?
According to IBM, the cost of sustaining data breaches is increasing. In 2022, it reached an average of $9.44 million in the U.S. and $4.35 million globally.
A single misplaced or poorly chosen password could cause a growing business empire to grind to a halt, so it's time to pay attention to password management. Unfortunately, small businesses can't fly under the radar anymore, either — they're the target of some 43% of cyberattacks.
Best Password Management Practices for Businesses
The following password creation and management best practices are essential for individuals and businesses. Companies may have employees who don't know about good password hygiene in their personal lives, and the corporate world might be their first exposure to these concepts.
Even for those who are conscious of the importance of password management, it can be difficult to achieve without a strong system in place. Employee burnout is on the rise, especially in fields like healthcare, retail, and even cybersecurity — and as stress and workloads increase, security can often fall by the wayside if it isn't firmly entrenched.
Use this list as a springboard to create a security-conscious culture in your organization that doesn't take anything for granted regarding safety and data governance.
1. Use Unique Passwords Every Time
Using unique passwords is the simplest password hygiene tenet businesses must coach their team members. No two personal or work-related accounts should ever have the same passwords. If they do, hackers can compromise more than one point in your network using the same stolen credential.
2. Make Them Strong
The counterpart to the above point is to ensure each of those unique passwords is strong. That means combining uppercase and lowercase letters, plus numbers and symbols. Alternatively, have team members create passwords using random words unrelated to their personal lives or the company — for example, "CheesyTrainerPanda."
A good rule of thumb is to aim for passwords at least 16 characters long. Ultimately, length is a more important characteristic than complexity but don't phone in either of these.
3. Require Password Managers
Your team members may have multiple passwords to recall and use daily for work purposes. Password manager software provides the means to lock those unique passwords in a protected vault.
Instead of dozens of passwords, individuals use a single one or a biometric scan to unlock their vault. Open-source password managers like BitWarden and KeePass are available, plus paid options like Dashlane, 1Password, and NordPass. Most have desktop and mobile apps and browser extensions to meet you wherever you work.
By requiring password managers, you remove the pressure on the employee that could be caused by always creating strong and unique passwords. Most password managers can generate strong passwords for you, and the obvious benefit of storing passwords means employees don't have to remember them all. For companies facing employee burnout or increased levels of stress, implementing a password manager can both strengthen and simplify security.
4. Take Advantage of MFA/2FA
For example, bad actors found and exploited a problem with Microsoft Azure that allowed unlimited brute-force password guesses. As a result, Microsoft had to make a public statement about the issue and work quickly to patch it. The good news is that companies actively using MFA/2FA are not in the same risk category as others.
5. Don't Change Passwords So Often
It may be wise for C-suite or public leaders to change all their passwords regularly. The jury's out on requiring routine changes for ordinary team members, though. This used to be conventional wisdom regarding password hygiene, but now authorities and tech experts aren't so sure.
The Federal Trade Commission believes already-strong passwords don't need frequent changeover unless you suspect they've been compromised already. Technologists warn that requiring regular password changes could lead to frustration, lost or misplaced credentials, and an even more unsecured environment than you have now. If you want to keep employee passwords off post-it notes, go for strong and complex ones rather than fixed intervals for credential changeovers.
6. Conduct Social-Engineering Awareness Training
About 75% of security experts see social engineering as the most dangerous type of digital threat. The most common type is phishing, which involves bad actors sending employees legitimate-looking emails requesting they confirm their credentials or provide another piece of critical data.
Business decision-makers should find ways to engage their employees in social-engineering awareness training. For example, universities have videos and other resources available that cover the basics of what to look for. From there, companies can also consider hiring training groups to stage fake social engineering attacks to see how workers might respond in a real emergency.
Effective Password Management Is a Shared Responsibility
Every company needs a strong password management system. This doesn't have to be any more elaborate than a set of clearly worded, nondiscretionary guidelines that each team member must abide by. However, they will only take them seriously if they understand why they're important.
Take time to express in written documentation or in person the value of keeping these best practices in mind. Companies can't thrive when their intellectual property or sensitive data is under attack — and some of that information refers directly to employees through payroll databases, company directories, and more. So keep everybody safe by studying these password management best practices and making them a part of your culture today.
Opinions expressed by DZone contributors are their own.