How secure are your passwords? Even if you’re 100% sure about your password, what about your employees? While passwords alone are not a comprehensive cybersecurity defence, they are the first line of defence against cyber-attacks.
You’ll be more vulnerable to brute force assaults and data breaches if you don’t use a strong password. But just one weak password and your entire network could be put at risk. That’s why you should think about instituting a comprehensive password policy across your organization.
How Are Passwords Broken?
In order understand what makes are good password, you first need to understand how hackers are able to compromise them. There are two main methods, brute force attacks and phishing. Phishing involves using fraudulent emails to trick you into handing over your password without realising you are sending it to a hacker.
The other method is to use a brute force attack. This can involve trying different combinations of letters and numbers until a match is found. Rather than starting with “aaaaaa1” and then trying “aaaaaa2”, most hackers will instead use a dictionary attack, which begins by using all the words in the dictionary, as well as combinations and common alteration of them (like swapping the letter “a” for the “@” symbol). They will also try lists of previously hacked passwords.
Hackers won’t conduct these brute force attacks by hand either, they will use software capable of trying hundreds of thousands of these password guesses every minute.
The important thing to take away from this is that the longer and more complex your password is, the more secure it is.
What Makes A Good Password?
These are the core elements of a strong password.
If your password was just the letter “a”, it would be broken instantly by someone trying a dictionary attack. If your password was “apple”, it might hold up a few milliseconds longer. But if it was “apple-house-virginia-cafe”. It would take a dictionary attack a significantly longer time to guess your password.
You should have a unique password for every service and device you use. Otherwise, someone who guessed or stole your password for one service would have access to everything. If a hacker has already compromised one password, that will be their first guess when they try to break into another one of your accounts.
While having a long password is great, it’s even more secure if you use a combination of letters, numbers, capitalizations, and symbols. The most secure passwords are completely randomised combinations of all these elements. For example, “haOFdt0&WHaa3a!d7pgi3gmV”
You’re probably thinking, if your password looked like that, you’d never be able to remember it, let alone multiple long, complicated passwords. That’s fine, we wouldn’t expect you to remember them, in fact, it’s safer if you don’t. Confused? Don’t be, we’ll explain…
Why You Should Use A Password Manager
A password manager is a piece of software which generates and stores randomised passwords. These passwords are stored in an encrypted “password vault”. This vault is itself secured by a password known as your master password.
Obviously, you’ll still want to choose a VERY secure master password – but this is the only password you’ll need to remember. Some people will even use an entire sentence as their master password, with some numbers and symbols for good measure.
Most passwords also have browser extensions and mobile apps which will autofill your passwords for you when they detect you are on a website or app that they have a password saved for.
The benefit of using a password manager is that you can have extremely secure passwords without having to worry about remembering them. It’s also much harder to accidentally leak your password if you don’t know it!
Implement Multi Factor Authentication
Multi Factor Authentication (also known as Two Factor Authentication, 2FA, or MFA) involves using an extra piece of information to unlock your account, in addition to your username and password. Most commonly, this is a code generated by an app like Microsoft Authenticator or sent via SMS to your phone.
Having MFA in place automatically increases the security of your passwords. This is because when you use MFA an attacker would not only need your username and password, but they would also need physical access to your unlocked mobile device at the exact moment they were trying to use your password.
Have A Password Policy In Place
Now we’ve covered how to create and store secure passwords, it’s time to make sure that everyone in your organization is implementing the same best practices. To have secure passwords across your organization, you need to implement a password policy.
A password policy acts as a reference for workers when creating new passwords. Before a password is considered legitimate, a password policy may stipulate the minimum number of characters, as well as capitals, symbols, and digits it needs to include.
How To Draft A Password Policy
If you’re not sure where to begin, here’s a step-by-step guide to help you create your own password policy template.
Your team will be more compliant with your password policy if they understand the reasoning behind it. You should emphasise the need for strong passwords and the risks associated passwords being stolen or hacked
This should cover which team members, passwords, and accounts are covered by this policy
- The Policy
A full explanation of all your password policies should be included in the document. You should, for example, mention how often passwords should be changed, what characters or symbols they should include, and how the passwords should be stored and labelled (if you are using a password manager).
While this is an oversimplification of what should go into a password policy, it’s a good place to start. Remember that your password policy may need to change over time as circumstances, technology, and threats change.
We hope this has been a useful overview of the importance of strong passwords and cohesive password policies. If you would like help implementing MFA, migrating your passwords to a password manager, or developing a password policy for your organization – speak to our cybersecurity team today.