Still using the password you conjured up for your first email account in 2002 featuring your favourite footballer? We hope not. Passwords play an absolutely essential role in the security of your company and weak passwords are some of the easiest way for hackers to breach your cyber defences through employee accounts.

In this article we’ll be sharing advice on how to avoid this common, but easily avoided, security pitfall.

Minimum password length for systems

For all password-protected systems, your business should try to follow these basic steps when configuring them:

  • The minimum length for a password should be at least 8 characters including all alphabets, symbols, and numbers.
  • There should be no maximum password length.
  • The system should not allow the user to set a password that does not meet the minimum length requirements for it.

The requirements mentioned above are simple to understand but can be difficult to implement. It is important to note that these rules need to be established across all password-protected devices and software.

To meet this requirement, you need to consult with your IT manager to ensure that all devices and software (whether third-party or proprietary) enforce the minimum password length.

Enforce a secure password policy

A password policy is used to establish the rules and requirements for setting passwords. Creating a secure password policy for staff helps businesses protect themselves and allows them to meet the password requirements under the government’s Cyber Essentials certification scheme.

The goal of a password policy is to take away the burden of individual users to create solid passwords. However, users should still be made aware of the password policy so that they pick sensible passwords for their email, devices, and other accounts.

Other than the minimum password length requirement mentioned above, your employees should:

  • Avoid obvious passwords that can be easily discovered or guessed such as their name, phone number, birthdays. That goes for your pet’s name too.
  • Not choose common passwords such as the ‘abcdefgh’, ‘12345678’. This can also be implemented through a blacklist that prevents users from keeping common passwords.
  • Memorise their passwords instead of recording them whenever possible. Don’t email them to yourself or keep them in your Notes.
  • Not use the same password for different accounts. 45% of Brits have the same password for half of their online accounts. Not great.
  • Use password management software or other secure mechanisms for storing and retrieving passwords.
  • Require the system to:
    • Protect against brute-force password guessing algorithms by locking accounts after a set number of unsuccessful attempts to enter the password.
    • Change default or common passwords to random non-guessable passwords.

If you want to see how long it would take a computer to guess your current passwords, check out HowSecureIsMyPassword.

Conclusion

Ensuring the use of strong passwords is a key step towards becoming digitally secure. 

CyberSmart helps businesses comply with Cyber Essentials by simplifying the process of compliance for them including complying with password regulations. If you would like to learn more about how to implement a password policy for achieving Cyber Essentials, get in touch with us.