Follow These 20 Password Policy Best Practices to Keep Your Company Secure

Follow These 20 Password Policy Best Practices to Keep Your Company Secure

The Verizon Data Breach Investigations Report for 2016 tells us 63 percent of small business hackers take advantage of weak passwords. What’s more, almost all (93 percent) took mere minutes to compromise systems. It all spells big trouble for America’s small business unless you focus on beefing up your passwords and adopting a policy. Follow these 20 password policy best practices to keep your company secure.

Password Policy Best Practices

Understand What Password Policy Is

First you need to walk before you run. Understanding what a password policy is the first step in being able to build a strong one. These are a set of rules covering how you design the combinations of words, numbers and/or symbols that grant access to an otherwise restricted online area. Passwords can protect your website, software programs and small business networks. They keep them safe from unauthorized entry from ex-employees, curious intruders and of course hackers.

Adopt the 8 + 4 Rule

This rule helps you to build passwords that are strong as steel. Use eight characters with one upper and one lower case, a special character like as asterisk and a number. The more random the better.

Keep Symbols/Numbers Separate

Here’s another hint for an effective password policy to foil hackers. Make sure the numbers and symbols are spread out through the password. Bunching them up makes the password easier to hack.

Don’t Make it Personal

Everyone involved in a small business needs to understand there’s a big difference between security and convenience when it comes to passwords. It needs to be clear using personal information like your first name and birth date  is a recipe for disaster. If a hacker ever gets his hands on company HR data, this information  will be the first set of combinations he tries.

Use Different Passwords for Different Accounts

Even if there are several computers in the same department, it’s a bad a idea to cut a corner by using the same password for each. Use a different one for every device.

Avoid Dictionary Words

It might sound safe to go to the dictionary for a password, but hackers actually have programs that search through tens of thousands of these words.  Dictionary attack programs have been around for years.

Keep the Character Limit Down

The average person can only remember 10 characters or less. Long passwords run the risk of being written down so they can be remembered.

Adopt Passphrases

Abbreviations are usually immune to dictionary attacks. So TSWCOT for The Sun will Come Out Tomorrow is a good choice for a secure password. Remember to add symbols and numbers.

Don’t Change Them Too Often

A good strong password will last for a year or more. Don’t encourage employees to change them any more frequently than that. Otherwise you can wind up with a password1, password 2 situation. Hackers look for these patterns.

Don’t Write Anything Down

Granted, committing all of all your passwords to memory might get tricky. However, everyone under your small business roof needs to understand not to write anything down. A discarded Post-It can be all a would be hacker needs.

Discourage Sharing

No one should share passwords over any electronic media. If you cant find a way of sharing a password without using cyberspace, make sure everyone knows to change it right away afterwards.

Add Other Barriers 

When you’re putting together a password policy, make sure to look at the bigger picture. Well designed passwords put a good lock on the online front door of your company. More robust authentication like a fingerprint scanner make your small business safe like Fort Knox.

Encourage Weirdness

In the passwords and not your employees, that is. Still, they should understand the best passwords avoid pop culture and sports terms and anything that’s common. Random groupings of the 8+4 rule works but so do unique phrases.

Adopt Stronger Policies for Sensitive Accounts

Administrators need to have more robust rules for setting passwords. The more data they have in their electronic baskets, the stronger the policy needs to be.

Enforce the Policy

It’s important your password policy has disciplinary teeth. Be clear about what  happens for infractions all the way up to dismissal.

Set a Lockout

We’ve all legitimately forgotten a password and need a few tries to get back in. However you should set a number that will lock the user out after a few unsuccessful attempts.  Four failed logins works.

Stay Away from Acronyms

Don’t use these as a shortcut to identifying your department or who you are. It might be temping for an accountant to use CPA. However, that opens a cybersecurity door wide enough for a hacker to walk right through.

Never Use Remember Password

Search engines and email programs mean well when they ask you this, but in the end it’s just another risk your small business doesn’t need to take.

Never Tell Anyone Your Password

A good policy will stress that no one should ever tell anyone else their password. The systems administrator needs to play gatekeeper here. If someone wants to know a password, they need to go to them.

Keep the Process Private

Finally, stress to everyone involved they need to hide the process from prying eyes. No one should be watching when you type in your password.

Password Photo via Shutterstock

More in: 5 Comments ▼

Rob Starr Rob Starr is a staff writer for Small Business Trends. Rob is a freelance journalist and content strategist/manager with three decades of experience in both print and online writing. He currently works in New York City as a copywriter and all across North America for a variety of editing and writing enterprises.

5 Reactions
  1. I think changing passwords on a regular basis must be done especially if your employee turnover is high. This will keep your accounts secure.

    • You can use a commercial product to help with this, qwertycards is one and there are others.

    • instead of changing password frequently to deal with high turn over, enforce that everyone has to use their own login credentials and when they leave the account gets cancelled. Second, changing passwords frequently doesn’t reduce risk, as typically people will use the same root password and change the number at the end. What would be a better idea is to compare the old password and ensure the replacement password is not related. I would also recommend that the password cannot start with a capital and end with either a number or special character. Lastly, I would recommend that when corporate passwords are changed, they be run against a list of known of compromised passwords and if there is a match the user instructed to choose a new password

  2. Better yet, STOP using passwords all together in favor of a more modern identification technology like biometrics. Or, if you are stuck on antiquated passwords, use biometrics as part of a multi-factor authentication strategy.