Get in touch:

Tags: , , , , ,

Setting strong and robust passwords is an essential part of protecting your business from cyber crime. From May 2018, it will also be a requirement for businesses to create passwords that are compliant with GDPR, the new Data Protection regulation.

So why are good passwords so important? Let’s take an example to illustrate why. One of our clients had a poor password policy in place, with weak passwords and user names. As any IT consultant will tell you this is a massive no-no – although that doesn’t stop lots of people doing it.

Our client was unlucky enough to be targeted by a hacker who scanned their public IP address, looking for holes they could exploit to target the network. They basically kept trying different user names and passwords until they managed to force their way in. Once they’d gained remote access to the network and then encrypted our clients’ files with ransomware.

The first danger sign came when our client realised they could no longer access their Word documents. They then noticed that applications were open on their computers that they hadn’t opened themselves. At this point, they realised they were in serious trouble and got straight on the phone to Jalapeno.

Fortunately, as the customer is a long term client we’ve worked with them to ensure a robust backup system is in place that works properly. We were able to restore their files and in the end, the business only lost access for one working day. And, of course, they avoided having to pay the ransom (not that they’d would get their files back if they had).

However, all this hassle and worry could have been avoided if the company had a strong password policy in place and made sure everyone followed it. It’s not difficult to create robust passwords and there are plenty of tools out there that will help you do it. Many of the server operating systems have these tools built in.

Here are some suggestions for how to go about creating your password policy.

  1. Set a minimum strength level for each password

A good way to do this is to follow the 8 + 4 rule. This means the password is at least 8 characters long, with a combination of least one each of upper case, lower case, numbers and special characters (e.g. !£$&).

Here’s an example of a password following the 8 + 4 rule: @pP1eT&rt. As you can see, the password is based on the words ‘apple tart’ but with different cases and characters used to make up the password. Using words or phrases like this can work well, but make sure they’re chosen at random. Never don’t include any personal information such as the user’s name or date of birth, or the name or location of your business. And don’t make them too simple. Passwords like ABC123abc are crying out to be guessed by even the most mediocre hacker.

  1. Use unique passwords for each application

Even if a password is robust, you’re asking for trouble by using it across different applications – especially banking software or anything containing sensitive or confidential data. So make it a requirement that your users create unique passwords for every application they use.

  1. Never write down your passwords

It sounds obvious, but lots of people jot down passwords and usernames in notebooks or on post-its for anyone to pick up. Worse still is the cardinal sin of keeping some or all of your passwords and user names in an online file marked ‘Passwords’.

Yes, it can be difficult to remember 57 sets of different login details. But you can use password management tools such as Dashlane, Sticky Password or RoboForm to store them securely. These tools will also help you create strong passwords in the first instance.

  1. Set a maximum lifetime for each password

The ideal lifespan for a password is 90 days. Any less and it becomes too much hassle to keep changing them, any more and you’re putting yourself at risk. You can set up your applications to prompt your users to change their passwords when the time comes, or even automate the process completely (if the software in question allows this).

  1. Never share your passwords

This sounds obvious, but you’d be surprised how many people do it! This is so important that you may even want to make it a disciplinary offence for your staff to share passwords – especially with people outside your organisation.

The only exception to this rule is when your help desk or IT consultant needs the user’s passwords to access their computer or resolve a problem. If this happens, the user should change their password as soon as the work is completed.

  1. Discourage ‘Remember password’ settings

Most internet browsers offer the facility to remember passwords and financial information, making it quick and easy to log in to online applications and make purchases. Whilst this is convenient, it’s also highly dangerous if someone’s computer or mobile device is lost or stolen. So you might want to encourage or require your users to disable the ‘Remember password’ settings on their browsers.

For an extra layer of security, we recommend you set up a remote wiping facility on all your laptops and mobile devices. This lets you delete user information, data and applications from any device that’s lost or stolen – making it useless in terms of cyber theft.

And one last word…

As with all IT-related policies, your password policy will only benefit your business if people know about it, understand it and implement it. Give your staff regular refresher training so they know why password security is so important and to make sure they follow the rules set out in your policy.

Need any help? Jalapeno are on hand!

If you need a little help putting your password policy in place or training your staff, just give us a shout. Our expert consultants can take care of it for you whilst you get on with the day job. It’s all part of our mentoring and user education service. Get in touch today to find out more.