Create a password policy for your business
When you’re looking at ways to keep your business network and systems safe, one thing to consider is a password policy for your staff.
If you manage staff in your business, at some point they’ll need access to your network. This means you’ll need to put measures in place to keep their access secure. Strong passwords are a good place to start.
Creating strong passwords for network accounts is an effective way to protect your business and keep it safe from attack. The first thing you need to do is make sure your staff understand what a good password is, and why it’s important. As a rule, passwords should:
- be unique — used for one account only, not reused across many accounts
- be long and strong. A passphrase made up of four or more words is often better than a password (and easier to remember)
- not be based on personal information. For example, don’t use your pet’s name as your password. Personal information like that is easy to find online. It’s often the first thing an attacker will use when trying to access someone’s account
- be kept safe. Encourage your staff to use a password manager to store their passwords in.
We’ve put some guidance together on creating good passwords that you can share with your staff.
What you need to do
If you want to make sure your staff create strong, unique passwords for their accounts, you need to give them the tools to do so. This could mean updating your password policy. You’ll have to:
- review the rules around what kind of passwords your system will accept
- define rules that will stop the system accepting weak or common passwords.
Best practice advice on password management has changed. America's National Institute of Standards and Technology (NIST) created new password management guidelines you can follow. Here’s what you need to do.
1. Don’t ask your staff to change their passwords regularly
Asking staff to change their password regularly is counterproductive to good password security. People choose weaker passwords when they know they have to change them often. Rather than choosing a new, unique password, they’re more likely to make a small change to the one they’ve got. This could be as simple as changing their existing password from Password1! to Password2!
If your system currently prompts staff to change their password on a regular basis, change the setting. Staff should only have to change their password if you suspect their account, or the business network, might be compromised in some way.
2. Don’t set rules about how to compose passwords
Often, creating a password that the system will accept means creating something that has a mix of:
- upper case letters
- lower case letters
- numbers, and
People tend to use predictable methods to meet password requirements like this. It often means they tag a ? or ! to the end of their password so that it includes a symbol. This creates passwords that people find hard to remember. Instead of imposing a set of rules like this, ask your staff to use longer passwords or passphrases.
3. Don’t use security questions and answers as an authenticator
Asking security questions is a common way to authenticate users in a system. For example, if you forget your password, you can still get access to your account by answering a couple of security questions, like:
- Where were you born?
- What’s your pet’s name?
Unfortunately, these kinds of questions are also easy for an attacker to answer. This kind of information is freely available online, particularly on social media. So, use two-factor authentication (2FA) instead. That way, anyone who logs in to your system will need to provide something else to verify that they are who they say they are. This could be a one-time password or code sent to their phone, for example.
4. Don’t let staff set common passwords for their accounts
Set your system up so that it won’t accept common, simple passwords such as Password! or Welcome1. Attackers often use databases of common passwords when they’re trying to gain access to accounts. You can configure your system to only accept long, strong passwords instead. If your staff worry about remembering their passwords, encourage them to use a password manager.
Using a password manager is like putting your passwords in a safe that only you have the key to. They store and protect your passwords, and can also generate new passwords for you. The only login details you’ll need to remember then will be for the password manager itself.
If you need to help to configure your system to meet these requirements, talk to your IT service provider. They’ll be able to make the necessary changes for you.