Tips for Keeping Company Data Secure While Working Remotely: Password Practices
Due to the Covid-19 pandemic, many companies around the globe have no other option than to allow employees to work from home.
While likely safer for employees’ health, handling company data outside of the office environment could introduce new risks to organizations. In our blog series, Security in the Age of Remote Work, we’ll provide best practices and tips on keeping company data secure, regardless of employees’ locations.
Given that over 80% of hacking-related breaches involve the use of lost or stolen credentials, one of the most obvious and fundamental ways of protecting your information is by adopting good password security practices.
Require Strong Passwords
What it means to be “strong” has evolved over time, but many security experts now agree that a passphrase made up of multiple, unrelated words is far better than a shorter password with numbers and special characters. In fact, the National Institute of Standards and Technology (NIST) recommends doing away with stringent complexity requirements as they are unnecessarily burdensome for end-users and lead to poor password behavior, as people who forget their complicated passwords tend to replace them with weaker ones. Passphrases are easier for users to remember, but harder for a hacker to guess. When creating a passphrase, be sure not to include any personal data, such as name, date of birth, address, or anything else that would be easily guessable.
Get Rid of Periodic Password Reset Requirements
Another guideline that has fallen out of favor is that of periodic password reset requirements. Not only are these frustrating for users who are forced to change their password several times per year, but they are counterproductive as people are more likely to choose weaker or common passwords that they find easier to remember (and easier for hackers to crack). The NIST recommends changing passwords only if they have been exposed or there is other evidence they have been compromised.
Screening passwords against a list of commonly used and compromised passwords is another practice endorsed by the NIST. Guessing common passwords is one of the easiest ways for hackers to get inside an organization using brute force, so companies should strongly consider utilizing a tool that scans and finds accounts that may pose a risk.
Don’t Mix Business With Pleasure
Although tempting, reusing passwords is not advised for the obvious reason: if one account becomes compromised, they are all vulnerable. Because remembering numerous passwords can be difficult, it is recommended to invest in a password manager, such as LastPass, to keep track of passwords. In that case, the user only has to remember one password: the password to unlock his/her LastPass vault.
A Few Additional Recommendations
Passwords should not be less than eight characters; the FBI recommends at least 15 characters.
Skip password hints and knowledge-based security questions. In the age of social media, these are usually easy for others to figure out.
Allow 10 authentication attempts. This should be sufficient for a forgetful user, but not enough for a hacker to guess.
By implementing the above recommendations, organizations can lessen the chances of passwords being a weak link in their security, potentially saving thousands in avoided data breaches.