Passwords and Data Security

One of the biggest risks to a company’s data can be password security.  What kinds of rules are the best to implement for your users?  What best practices allow companies to feel secure in allowing their users to navigate the complex world of company resources, whether they are in the cloud or on-premises?  There are a few simple things you can do to ensure that you are prompting your users to create passwords that are unlikely to risk company data.

First, implement password complexity requirements company wide.  Password complexity requirements can vary from company to company and may depend on the other technology solutions you are using.  However, a great general rule is that users should be creating passwords more than eight characters long, that include both an uppercase and lowercase letter, and include both a number and a special character that is accepted by the software you are using.  In a high security environment, you may even consider implementing longer passwords, such as extending this requirement to 14 characters if the necessity exists, however unpopular amongst the rank and file this may be..  Many companies implement this using Group Policies (if this a specific thing, explain), to ensure that company passwords are compliant.  Some solutions like those from Microsoft, have built in password complexity requirements, which can bring peace of mind  in using their services.

Another option often discussed with password complexity requirements is a forced password reset, a practice whose usefulness is debatable.  Recent studies show that if a user’s password follows complexity requirements, frequent resets can be harmful to security.  These password resets are a frustration to users and can cause them to do things that can compromise their passwords such as picking common words, repeating passwords, or even writing their passwords down where they are more likely to be compromised.  For this reason, many companies are allowing their users to create more secure passwords that they keep for longer periods of time.  Some have decided it is best to do away with forced password resets all together.  It’s important to consider this when trying to create the standards you would like users to follow at your company.

You also might want to consider using services that help you to monitor account security to allow for earlier detection of compromised passwords.  Many services allow companies to view sign in logs or send alerts to help you stay on top of any possible breaches.  You may also want to encourage the implementation of Multi-Factor Authentication to further assist in securing access to employee accounts. Though this may feel more time consuming, it will be offset by reducing the number of password resets and add an additional layer of identity verification. 

Password security is just one of the ways that you can help tighten the overall effectiveness of your company’s data security.  If you’ve been evaluating your company’s security standards and are wondering what more you can do, reach out to us at Deep Core Data.  We can look at where you are and help you get to where you want to be.