Ex-Microsoft Chairman Bill Gates predicted the death of the traditional password because it cannot “meet the challenge” of keeping critical information secure. Passwords would be replaced by alternative authentication methods such as wearables and biometrics1. Gates made that statement in 2004, and it remains one the few things he got wrong.
Today, everyone uses passwords to control access to IT infrastructure, data, and services. They remain the first line of defense to information security and privacy, in part because the concept of the basic password has evolved into an entire ecosystem of password management applications and providers that do indeed meet the challenge of keeping critical information secure at work and at home.
What Are We Protecting?
20 years later passwords are as popular as ever. In a business with multiple employees, passwords must often be shared among team members for them to properly do their jobs.
The types of mission-critical information and systems that are usually password-protected in a business include:
- Intellectual property and proprietary digital assets
- Communications and social media accounts
- Network and software applications/licenses
- Confidential business plans and go-to-market strategies
- Customer or patient data
- Bank account and credit card numbers, and financial reporting information
Not every user needs access to every account, but sharing passwords creates risk. Employees, partners, and suppliers come and go. Having multiple passwords to the same asset increases cyber risk exponentially, especially if a former associate of the company wishes to do damage.
Other security threats related to poor password management policy include exposure to denial of service (DoS), malware, and ransomware attacks that could paralyze a business, compromise assets and customer data, damage the company reputation, and potentially subject it to fines and penalties for compliance violations.
What is a Password Management Policy and its Advantages?
Mitigating these threats requires putting a company-wide password policy in place to keep data secure. A password management policy defines how passwords are created, stored, used, shared, and updated.
More than setting rules for password hygiene a password management policy is about the greater parameters for overall information security in a business.
Of course, it should encourage the use of strong passwords to minimize exposure to breaches, and it should also:
- Centralize administrative tasks for organizing, sharing, and updating an unlimited number of passwords
- Employ end-to-end data encryption to protect passwords in transit and at rest
- Offer a password generator tool with the ability to set complexity levels to ensure employees and team members are using strong passwords.
- Track password activity to identify the source of a breach should one occur
- Disallow the use of aged, weak, or recycled passwords
- Speed employee on/off boarding without impacting other team members
Best Practices for Password Management Policy & Sharing
First and foremost, install a centralized password management solution. These applications put a single administrator (possibly with sub-administrators) in control of all password-related activities from rules creation to sharing and retirement.
Only administrators have the authority to make changes, and all user requests must pass through them. They define access roles for individuals and teams, manage permissions, and set the organizational structure for how passwords are shared. A good password management solution is the foundation for a strong overall cyber defense and the rules to enforce it.
Other best practices for a strong password management policy include:
- Never store passwords as plain text in written form (hardcopy or digital) where they can be seen and copied by unauthorized people. Also, it is bad practice to store passwords in a PC web browser; though convenient (Why You Shouldn’t Store Passwords in Browsers)
- Limit password access to those on a need-to-know basis.
- Do not allow employees to recycle old passwords or create new ones using minor variations of current ones (e.g., Br@ndy1 to Br@ndy123). Some organizations publish Deny Lists of passwords that are easily broken so they cannot be used.
- Enforce the use of multi-factor authentication, which requires a second piece of data known only by the recipient to confirm their identity before granting access.
- Use Single Sign On (SSO) technology. SSO allows employees to access all systems through a single set of credentials, helping to avoid password overload on employees who must use multiple protected assets.
- Set a maximum number of account login attempts (usually between 5 and 10) before the system automatically locks out a user. Conversely, set custom time limits to automatically logout a staff member from a password-protected account after a designated period of inactivity in case they forgot to do so.
- Diligently track employee and supplier status immediately suspending access by those who no longer need it or are no longer employed by the company. Delete inactive accounts.
- Change passwords to shared accounts when a team member leaves the organization.
- Use different passwords for every account.
- Alert their administrator if you suspect an account has been compromised. Err on the side of caution and change the password.
- Prevent staff from accessing company servers using public computers. Enable IP Whitelisting on your network to only allow logins from trusted IP addresses.
One more thought: password manager applications are a natural target for cybercriminals, as one successful attack on the app provides access to all a business’s stored passwords. The password manager application itself must be highly secured.
Passpack: The Password Management Solution of Choice
Passpack is a centralized team password management solution optimized for businesses that need to create passwords that are extremely difficult if not impossible to break and enforce organization-wide rules among employees for sharing them.
Our platform embodies all the critical capabilities and best practices needed to build a password management policy that maintains the security and integrity of information across your organization at a low cost per seat.
Most importantly, Passpack is highly secure. Built on a zero-knowledge system architecture, our employees never have access to encryption keys. Only end users have access and control over their data; passwords can only be decrypted and accessed on the customer’s local system, eliminating the threat of an attack on the application.
Further, we enables fully encrypted password sharing between individuals and teams, with all traffic directed through a centralized administrator for a closed environment with 100% control.
Strengthen your business’s cybersecurity defenses with a strong password management policy. Visit us at Passpack.com and try our solution free for 28 days to see how easy and affordable it is to unlock the power of secure password sharing with Passpack.