Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
Top 5 password hygiene security protocols companies should follow
Your email has been sent
Proper password methodologies can be a challenge to master. Learn some tips from industry experts on how to streamline the process and safeguard your organization.
Amid the coronavirus pandemic, access to systems in order to conduct business operations is critical for the majority of the workforce (56% according to globalworkplaceanalytics.com) that can do so remotely. I’m one of those workforce members, and it’s a huge source of relief for me to be able to conduct both my jobs (system administrator and tech writer) remotely.
Remote access nearly always depends on passwords, either to initiate VPN connections, log into workstations and servers, or to access critical websites.
IT departments are tasked with the extra burden of making sure all this remote access is secured via appropriate password methodologies. After all, it’s challenging enough to secure an on-site physical system that only permits hands-on access (such as a company workstation), let alone devices out of your control that may easily be lost, stolen, or accessed by unauthorized individuals.
I checked in with Charles Poff, CISO at Predictive Identity Access Provider Sailpoint, and Daniel Murphy, Global IT manager at Cygilant, a Cybersecurity-As-A-Service provider, to chat further.
SEE: Identity theft protection policy (TechRepublic Premium)
Charles Poff: Start looking into a password management tool. There are a ton of useful commercial tools and solutions that help make the overall process of keeping long, complex, and unique passwords manageable.
With automated password management, you can empower your organization with self-service password reset. Password management is the key to effective security, we all know that, but password reset help desk calls are very expensive, and corporations don’t want to incur that cost.
With an effective password management strategy, you give your users an easy and intuitive way to change or reset their passwords themselves. And along the way, you can enforce strong password policies across all of your applications and systems.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Self-service enables your workforce to remain productive wherever they are, and they won’t get locked out of accounts. It’s really a win, win. Help desk calls are minimized and security is improved because password policies are consistently enforced across the organization. Overall, password management leads to less frustration because employees can use self-service from wherever they are.
Scott Matteson: I can certainly speak to this as well. My company has a LOT of passwords and we’re trying to consolidate accounts where possible, but for a time, password reset requests were absolutely draining our productivity. I implemented Remote Desktop Web Access password resets to permit users to reset their own passwords via a web portal.
I also continually urge existing and new users to rely on KeePass to securely store their passwords. With these two tools handy users will never have to deal with a forgotten password again, and IT staff won’t have to drop more critical work to handle this type of housekeeping.
Charles Poff: Keep your password unless you think it has been compromised. Once a password is compromised, the floodgates are open. The eye-popping number of credential stuffing data breaches this year taught us as much. If you’re using a complex, memorable password then I’d recommend changing your password on the same schedule as your vehicle registration: About once a year.
Be sure to inspect your accounts and their passwords for safety and any sign of compromise, just like you would an automobile. The thought process is similar: While vehicle inspection is part of the renewal process and ensures that safety is maintained, you wouldn’t wait for the annual renewal to get something dangerous fixed in your vehicle.
SEE: Black Hat 2020: Cybersecurity trends, tools, and threats (free PDF) (TechRepublic)
Similarly, appropriately complex passwords can be changed once a year, assuming that any breaches or other security issues with a particular account trigger a password change immediately. The website Have I Been Pwned is a great resource for breach awareness.
Daniel Murphy: Building a culture of security awareness within your organization should be a priority for everyone. For IT Managers it’s important to implement password hygiene processes across an organization. Passwords should be changed every 30 days or every 90 days for non-user or system accounts.
Conventional wisdom says to change your password a couple of times a year, but security needs to become second nature to people. If employees only think about password security twice a year they will inevitably choose a weak password that is easily memorable. By increasing the frequency in which users have to change their password, you create an emphasis on the importance of password security across the organization.
Scott Matteson: One problem I’ve had with passwords in general is they still don’t guarantee the person using them is who they say they are. That’s why my company takes a severe approach to the concept of sharing passwords.
Charles Poff: Organizations should opt-in for multi-factor authentication where available for an added layer of security that is already built into many apps. While passwords as the primary method for authentication may go away at some point in the future, the reality today is that they are still very much a part of securing access.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
There are great technology solutions that can address the current password management challenges such as the growing number of applications (both on-premises and in the cloud) and the increasing complexity of password policies being used in large enterprises. These solutions look to reduce the number of usernames and passwords required by leveraging single sign-on and password synchronization in combination with one another.
Charles Poff: One of the challenges with current approaches to managing passwords is they almost exclusively focus on the needs of IT and IT security. Organizations should strive to balance security with convenience and deliver solutions that simplify management of passwords for applications which still require them. This means looking for ways to streamline the implementation of strong password policies without causing undue complexity on the users.
If password policies and administration become too arduous for end users, they will find a work-around, which ultimately exposes the organization to more risk vs. less.
Charles Poff: To avoid needless risk and to protect their identity in the event of a breach, users should constantly switch up their passwords and take a minute to adhere to some important password management best practices, such as using a unique password for every application or account, and making sure the password is long and complex. The best thing you can do is make all your passwords unique at every site (do not reuse passwords). Users should also avoid duplicating their passwords across accounts, especially across work and personal accounts. This ensures that your personal identity is not only protected, but also any information related to your employer is safeguarded in the event of a breach.
Consumer-facing breaches can extend beyond personal accounts, potentially exposing the enterprise as well. Data breaches like this can create a domino effect across multiple organizations through the reuse of credentials across personal and business accounts. This is where password hygiene comes in. While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being affected should another breach of this magnitude occur.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Finally, keep it mindful—always be aware of where you are on the internet and take specific note of anything or anyone that has asked you to log in or provide answers to any secret questions or disclose personal information.
As an industry, we need to educate, educate, and educate. Unfortunately, we are still making rookie mistakes when it comes to passwords. Even if we feel like we are tediously repetitive and the requirements may seem like overkill, it’s overall a benefit to the user to combat password and account compromise.
Daniel Murphy: Users should understand the concepts of password complexity. Historically the guidance was on short, complex passwords, but this has been disproven in recent years and the emphasis now is on length over complexity. I believe it should be both.
Passphrases then built upon this and added extreme length to the equation. They are nearly impossible to crack and are easier to remember compared with passwords. The only issue may be around not every application supporting their use. So for now, if you use passphrases you will undoubtedly have to use some passwords as well.
The standards you should strive for are:
Top 5 password hygiene security protocols companies should follow
Your email has been sent
Your message has been sent
Google Tasks has never had a solid interface … until now. Jack Wallen shows you how to turn Tasks into a kanban board-like workflow with the help of TasksBoard.
Don’t pack your bags and move to Bozeman yet. This micro-scale warp bubble won’t be capable of propulsion, but it could have myriad other applications, says its discoverer Dr. Sonny White.
If you’re not certain whether your Java project is free from Log4j vulnerabilities, you should try this easy-to-use scanning tool immediately.
If you missed in-person tech events in 2020 and 2021, here’s some good news: It’s looking promising that in 2022 many conferences will get back to (almost) normal.
The comprehensive bundle covers a range of subjects, including app development, game development, machine learning, computer vision, deep learning, NFTs, Java and website building.
Storage has always been a key aspect of data management in the enterprise. Now, in the era of big data, understanding storage options and technologies has taken on an even greater significance. This glossary offers essential terms that will help you tune up your storage vocabulary. From the glossary: Cloud storage Cold storage is the …
Electronic data is likely to be more prevalent in today’s organizations than physical printed data. Reams worth of documents can now be stored on computer hard drives, handheld devices and storage cards smaller than a fingernail. The bulk of many strategic operations depend on this digital information and the safe handling thereof. Data often has …
The concept of a metaverse, or a computer-generated universe, has been around for decades, certainly longer than when it was recently commandeered by Mark Zuckerberg in his attempt to rebrand Facebook as a new company called Meta. Massively multiplayer games, which can be classified as early metaverses, have been widely available to the gaming public …
The OneDrive Cloud Usage Policy from TechRepublic Premium defines the practices and behaviors organization representatives must follow when using any Microsoft OneDrive Cloud file storage account to execute organization services, process organization data, or access or store organization information. Whether organization representatives access Microsoft OneDrive file storage capabilities using an organization-provided, organization-reimbursed or personal OneDrive …