Every business should have a password policy.
Do any of your employees have the keys to your office? Do you keep any valuables locked away? If so, how many people have access? It is our experience that physical keys are issued with careful consideration, and only a few individuals are entrusted with these responsibilities.
Passwords are the keys to your business information. They need to be treated with as much care as the physical keys issued to your staff.
Passwords are arguably the most vulnerable aspect of a computer network, but they are often handled carelessly and viewed as a nuisance. Passwords are written on post it notes, stuck to monitors and keyboards, left in the open for all to see. They are shared carelessly. People use the same password to access all different kinds of accounts. That post it note innocently stuck to the monitor could be broadcasting access to a bank account somewhere.
You can easily imagine what thieves would steal, and how easily they could rob your business if they were given the keys to your office. Surprisingly many people think that there is nothing critical to protect with their business accounts. We’ve heard all too often, “Oh I just have some Word documents and emails. There is nothing to steal.” Here are just some of the things that can be stolen with unauthorized access to your company’s business passwords: bank accounts, social security numbers, credit cards, confidential financial information, confidential transactional information, confidential staff information, etc… Additionally, there are many things that can be DONE by someone with unauthorized access: deletion of data, impersonation of business, false creation of credit and bank accounts, introduction of ransomware, email and social media hijacking, unauthorized purchasing, theft of inventory, forgery, embezzlement, etc…
Passwords are the keys to access all of these things and must be handled responsibly.
Business passwords must also be inventoried. You probably know who has access to your bank accounts, but what about access to your business’s various social media account? What about access to vendor accounts from office supplies to health care? How do you control access if someone were to leave on bad terms or simply not show up one day? Administrative business accounts must be associated with a business email address and should not be associated with individual staff. As much as we love our people, we hate to admit, accounts should be created with the expectation that staff turnover is the reality.
You and your staff must use strong passwords.
There are various methods for determining password strength. A good resource for the detailed nuances of password strength is Rumkin.com’s password strength tester. In short:
A strong password should be at least 10 characters or longer with a mix of shifted characters and should not string together common words, phrases, dates, or things associated with you: “El3ph#nts!”. On the other hand, a long password of 20 letters or more of randomly chosen words is such as “magnicifentelephants” has a stronger security rating than the shorter password with varied characters. These passwords are memorable.
A stronger password is long and is randomly generated: “k&cfHsf9epYxT$w88YsY”. These passwords are far more secure as they are not easily memorable. Using them often requires some sort of password management (read on).
Weak passwords are short, contain common words, phrases, dates and something associated with the user. They are easily memorable and can be guessed. Weak passwords should never be used.
So how are we expected to keep track of all these strong and unique passwords? Don’t keep them on post-it notes. Ideally you want to record all of your business passwords in one, secure location. You could use a password protected Excel file. This is a fine solution if only one or two trusted individuals need to access the information, but it is not very secure when multiple people need access to some of the information in the file. Excel files can also be copied, emailed and shared. We recommend that businesses use a password management solution like RoboForm, LastPass, Keeper, etc… These programs offer some excellent features that allow businesses to consolidate, organize and securely share passwords with their teams. One of the best features of these solutions is that they allow authorized staff to use passwords without being able to see them. This prevents unwanted proliferation of sensitive information.
So what should a password policy look like?
A password policy should compliment your business, empower your staff and secure access. It should be an extension of general business policies or part of an employee handbook.
A password policy should define:
- types of passwords used by a business
- password strength requirements
- password change frequency
- password storage mechanism
- password sharing and acceptable use
In creating a policy, all business accounts and security credentials need to be identified along with specific access rights for each credential. Then the appropriate mechanisms for accessing the securing these credentials needs to be determined and described. The policy shouldn’t be an imposition, but a means to responsibly control and deliver information and access.
Businesses need to make all kinds of information and access available to its staff. Manage and control of the distribution of passwords should be done with the same amount of attention and care as issuing keys to the front door.