The New Year is the perfect time for business owners and managers to make resolutions that can steer the company in the right direction. Given the importance of cybersecurity in today’s business environment, they need to make the following seven resolutions to bolster password security:
1. Use long passwords
The National Institute of Standards and Technology (NIST) no longer recommends combining upper- and lowercase letters, numbers, and special characters to create a password. This is because such passwords are hard to memorize, leading to poor practices like writing down passwords on paper and using passwords with minimal variations.
Instead, NIST recommends using long passwords with at least eight characters — the longer the password is, the harder it is to guess, since it has more possible permutations. In fact, a 12-character password takes 62 million times longer to crack compared to a password with just six characters.
To help users remember long passwords, NIST recommends using passphrases, which are composed of a sentence or combination of words. It’s best to use a passphrase with at least five random words. If you’re having difficulty coming up with random words, you can use free passphrase generators like Secure Passphrase Generator or Diceware.
2. Screen passwords against breached password lists
Check whether any of your employees are using breached passwords by leveraging websites like Have I Been Pwned that collect database dumps and pastes of leaked accounts. You can also use the password health monitoring feature of some password managers, which alerts you if your credentials are part of any data breach list.
You should also disable accounts that use breached passwords and require the respective users to change passwords. This is to protect your company against credential stuffing attacks, in which attackers use stolen credentials to gain access to accounts.
3. Enforce a banned password list
A great way to prevent users from having weak and compromised passwords is to create a banned passwords list. NIST recommends including the following in your list:
- Passwords exposed in previous breaches
- Dictionary words (e.g., iloveyou)
- Repetitive characters (e.g., 333)
- Sequential characters (e.g., 1234 or abcd)
- Context-specific words (e.g., username)
4. Don’t reuse passwords across multiple accounts
Always use unique passwords for all of your online accounts. Otherwise, hackers that manage to steal your password can use it to break into all of your accounts that use the same password.
5. Use a password manager
A password manager is a program that can create strong, unique passwords and securely store all of your login credentials. To unlock it and gain access to your credentials, you simply need to provide your master password or scan your fingerprint. This eliminates the need to memorize multiple passwords.
Password managers usually also have an automatic form-filling feature with browser extensions, in which the appropriate login credentials are provided immediately when a particular URL loads. This can safeguard you from malicious phishing sites with URLs that look almost identical to those of legitimate websites.
While most browsers have the same automatic form-filling feature, these are not secure. The password management function of most browsers prioritizes convenience over security, which may leave your sensitive data exposed and vulnerable. By contrast, a stand-alone password manager offers stronger protection for your credentials without sacrificing user experience.
6. Change passwords only if they were compromised
NIST no longer recommends periodic password changes (e.g., every 60–90 days) since there isn’t much evidence that this practice improves security. It may even push users to resort to passwords that are easy to memorize and to crack.
Instead, require users to reset their passwords only when there are signs of compromise, such as failed login attempts or suspicious activities detected by your monitoring system.
7. Enable multifactor authentication (MFA)
MFA is a security measure that requires users to provide two or more pieces of evidence (e.g., a password and a code from an authenticator app) to gain access to their accounts. This way, even if a hacker steals your login credentials, they would still need to fulfill the other authentication requirements before they can access your account.
You can turn to Fidelis for all your cybersecurity requirements. Our IT security experts can help you prevent, detect, and respond to all types of cyberthreats. Get in touch with us today.