3 Tips to Refine Your Organization’s Password Standards
Without strict password guidelines, your organization’s most private data could be left vulnerable. We checked in with one of our Cyber Insurance Underwriters to learn more about this risk and provide a few quick tips to reevaluate your password management.
October 8, 2024
Weak passwords are a major cybersecurity risk, exposing organizations to potentially unauthorized access by cybercriminals and reputation-damaging cyber incidents. However, this harm is extremely preventable when employees are routinely advised on best practices and when companies set strict password standards.
“A strong standard user password begins with 12 characters, but increase that to 14 characters, along with a mix of uppercase and lowercase letters, numbers, and a symbol, and you begin to see a very complex password,” said Jeremy Schumacher, Director of Cyber Insurance Underwriting. “The key to all of this is that passwords should not be shared; that is, an individual should not share their password with others, nor should they utilize the same password across multiple accounts or systems.”
This Cybersecurity Awareness Month, employers who are even a little admittedly behind on their password hygiene practices can clean up their act with these three tips.
1. Encourage Use of a Password Management System
Password managers can help keep organizational accounts safe, especially important for those handling personally identifiable information (PII) or protected health information (PHI). They store and manage passwords in a secure vault and often include features like password syncing, strong password suggestions, and secure password sharing. This can be particularly helpful for employees who often forget passwords and may be storing access in unsecured locations. They can also help prevent phishing attacks by preventing password reuse and notifying users of data breaches.
2. Frequently Change Default Credentials for Privileged Access Management (PAM) Tools
Unlike standard user accounts, privileged accounts are reserved for users with elevated capabilities and access, such as specialized IT employees. Typically used for administrative functions like system changes or to execute commands for restricted users, privileged access requires credentials that are a special target for cybercriminals. In fact, according to Forrester Research, 80% of security breaches involve privileged credentials. Instead of giving cybercriminals the keys to the kingdom, organizations should enforce strong password practices for their PAM. Frequently rotate passwords, implement one-time password use for sensitive accounts, and eliminate all password sharing. Additionally, all credentials should be centralized in a tamper-resistant format.
3. Enforce Strong Password Creation Policies
Strong passwords are the backbone of cybersecurity, protecting the most vulnerable information, but knowing how to create one requires a certain level of basic knowledge. The systems password chart below from Hive Systems provides a basic understanding of password creation used to prevent brute force attacks, which use trial-and-error methods of password combinations to gain access to accounts. This table has been updated yearly since 2020 to provide organizations with guidelines for creating the safest passwords. As noted by its creator, this year’s table focuses on hashing, which is “a scrambled version of text that is reproducible if you know what hash software was used.” It is used to turn data into a string of text that cannot be reversed or decoded.