IT Security

Password Policies Can Make or Break Your Business Security

Alexander Darcy



Alexander Darcy

In this article

    Passwords are the keys to your business’ digital kingdom, so it’s important to choose them with care and follow strict policies.

    You wouldn’t leave the office front door unlocked and wide open every night, but that’s exactly what you’re doing if you’re using “password” as your password for important business systems. It’s vital that you create strong passwords that are complex and difficult to guess, but there are other issues to consider when creating a robust set of password policies to keep your business safe.

    Changing passwords regularly might seem like a hassle but it helps guard against unwanted guests snooping around in your business. Hackers aren’t always out to make a splash, sometimes their goal is to quietly lurk in your systems, spying on your activities and syphoning off sensitive information. Expiring passwords regularly ensures that even if hackers do find a way into your business they can’t hang around for too long.

    When implementing password policies it’s obviously important to strike a realistic balance between security and convenience. In theory you could force all your staff to create a new password every day, but people are only human and if you make your password policies too onerous they’ll respond by choosing weak passwords and getting into other bad habits such as writing passwords on post-it notes.

    What makes for a good password?

    Passwords need to be complex; you shouldn’t use dictionary words because they’re the first words that hackers test when trying to break into your system using brute force hacking tools. They start by running through every word from “aardvark” to “zebra” in the hope of striking gold. Don’t bother swapping out letters for numbers, such as “z3br4” – they’re awake to that.

    Along with brute force attacks, hackers also rely on the fact that some people choose passwords that are easy to guess if you know a little bit about them. It’s a bad idea to use the name of your spouse, your children or your pets as your password, especially as this information is often freely available online via the likes of social media. Favourite athletes, sporting teams and holiday destinations also make for weak passwords, because hackers rely on the fact that we’re creatures of habit.

    The strongest passwords look like total gibberish, using a mixture of upper and lowercase letters along with numbers and other symbols. Of course, these kinds of passwords are tough for people to remember, although there are tricks to help you devise a password that’s easy for you to recall but hard for a person to guess or computer to crack.

    Remember this handy trick

    Rather than a password, consider a passphrase that also includes a mix of characters. If you’re a fan of The Beatles, don’t opt for a weak password like “TheBeatles” or “Ringo”; instead, choose something just as memorable but far more complex such as “WeAllLiveInAYellowSubmarine*1969”. If you want a more random-looking password, you could sing the first lines in your head to devise a complex password like “ItTwIwB*LaMwStS+69”.

    Whatever tricks your people use to dream up passwords, your password policies should enforce minimum length, complexity and expiry date. We rely on the domain policies features in Active Directory, but other systems should also offer similar levels of protection. It helps to keep a list of previous passwords, so if incorrect login attempts use an old password you know that your security has been compromised.

    It’s especially important to pay close attention to your password-related group policies in an age when many companies have single sign-on, synchronisation or pass-through authentication in place. This means that one username and password might unlock email, business systems and even access to third-party applications and services. Business owners often don’t appreciate the breadth of the issue and how much damage one weak password can cause.

    Don’t leave gaps in your system

    Strong password policies go hand-in-hand with strong account policies, paying particular attention to the use of generic accounts. Many companies implement robust password and account policies for full-time employees but create exceptions for generic roles and temporary positions – which is foolish, as these accounts pose the greatest risk, especially as the majority of security breaches tend to be internal.

    Good account policies ensure that accounts are always named and don’t use generic logins like “finance” or simple passwords like “finance1”. It’s also important to ensure that your HR exit procedures include disabling accounts. Short-term accounts should be set to automatically expire, plus you should undertake regular audits to check for dormant accounts.

    You wouldn’t leave spare front door keys lying around the office, so make sure you don’t leave open spare user accounts as a way to sneak into your business.