Password Management Guide

As a managed service provider, part of our job is educating teams on cybersecurity best practices. The more informed your employees are, the more secure your business will be against cyber threats. The first line of defense against an attack are the people, but often password management can be a daily headache for employees. Your team  needs access (usually ASAP) to applications in order to meet deadlines and fill quotas. Trying to remember and share credentials is often a hair-pulling annoyance that can hold up entire projects. Our philosophy as IT experts is to make technology make your life more secure. Read our password management guide to learn how to secure your business while boosting efficiency. 

Best Practices for Strong Passwords

Using simple passwords, reused passwords, or passwords that contain some personal information is like practically handing over credentials to cyber thieves. Thief-deterring passwords are at least 20 characters long  and can include an uppercase letter, lowercase letter, symbol and number. Here are some do’s and don’t for strong passwords:

DO give each one of your accounts a unique password — single use only. 

DO come up with a passphrase (3 – 4 words) in place of a password. This makes it easier to come up with the length of 20 characters and is also easier to remember.

DO use multi-factor authentication, even if the platform doesn’t require it.

DON’T use only a single common word as your password  — not even if you add a number to the beginning or end (such as Password123). Cyber criminals use software that can automatically plug in common words from the dictionary in attempts to guess your password.

DON’T use any personal information as part of your password. This includes pet names, parent birthdays, addresses, or information that is freely available on social media. 

DON’T write your passwords down,  save them to a digital document, or store them in any unencrypted programs. (Password spreadsheets are the first place a hacker will look if they gain access to your device.)

DON’T save passwords to your browser. (In fact, turn OFF your browser’s Suggest Passwords setting). 

DON’T allow your team to share a single login and password for any system; even something seemingly low-risk unless you have a secondary form of authentication for each team member.

Change your passwords NOW if:

• You’ve been using the same password since you opened an account.
• You have the same password for multiple accounts.
• Your password doesn’t meet the criteria to make it strong.
• You’re concerned it may be compromised.

Start with your business accounts, bank accounts and your mobile carrier (because your phone provides authentication for many accounts).

Use a Password Manager 

Keeping track of every password in your organization can feel like a never-ending nightmare. Our solution for login-related headaches is a password manager, a tool that can both secure your digital workspace and support efficiency. 

A password manager is an application for your browser that stores and organizes the many passwords you use across websites for your business. You can store hundreds of passwords in a manager like Keeper or MyGlue. These tools help you get data under control by only needing to remember one password. Plus, many managers will generate those complex passwords for you. Most importantly, a password manager offers end-to-end non-reversible encryption, making it the most secure way to store, share and remember credentials.

Multi-Factor Authentication (MFA) Is Mandatory 

MFA can greatly reduce account compromise attacks. It’s an absolutely necessary protection you need in your cybersecurity arsenal. We won’t  beat around the bush, it is annoying – at first. It gets easier and faster the more you use it and sooner or later MFA becomes muscle memory.  The best way to multi-factor authenticate is through an  external app. We don’t recommend using phone calls or email.  Criminals are way too good at faking voice calls, and email is compromised even more often. The bottom line is that you need MFA, even if it is aggravating in the beginning. 

Here are some steps for embracing multi-factor authentication for your business: 

1. Let your internal IT team or MSP know that MFA should be rolled out across your networks and systems for all users.

2. Make sure those teams have a plan to provide staff training and support to successfully roll out MFA without stressing them out or impacting your ability to do business.

3. Lead the way by setting up multi-factor authentication yourself — even for your personal accounts. (We suggest starting with your financial accounts). If you are comfortable with MFA, your team may be less wary.

4. Require all your vendor or partner accounts to have MFA enabled.  If they don’t offer multi-factor authentication security, consider switching to a provider that does.

5. Establish monitoring. Invalid access attempts should be recorded and that information used to improve your cyber security. With teams working from home, in the office and a hybrid of both, monitoring is more critical than ever.

Stay Up to Date With Cyber Security Best Practices

Need some guidance on password management policies and tools for your business? We can help. Contact Arclight Group or book an appointment.