How to Get Your Employees Interested in Password Hygiene

Practicing good password hygiene is one of the most fundamental security measures to deter cybercriminals.

One example of poor password hygiene is when employees choose passwords based on how easy to remember they are rather than as a security measure. With the rising concerns over data breaches, businesses must encourage employees to practice necessary password protection measures to avoid cybersecurity weaknesses.

How can passwords be compromised?

In an environment that facilitates poor password hygiene, there are several ways that passwords can be compromised:

• Brute force: An attacker will try an extensive list of possible passwords, such as words from a dictionary, to try and guess the correct credentials.
• Credential stuffing: An attacker takes a vast list of usernames and passwords from a data breach and applies them to other services, such as banking websites, to determine if those passwords were reused and then access the account.
• Hash cracking: Attackers gain access to a database of saved passwords that have been hashed. They then attempt to reverse the obfuscation to get the original password. Hashing is a way of obfuscating and encrypting the password making it less vulnerable to attacks used by many high-traffic websites.

What is good password hygiene?

The formula for good password hygiene is simple, yet many people still struggle to meet the baseline criteria. Some key examples of good password hygiene practices include:

1. Start as you mean to go on

By creating a strong password to begin with, employees reduce the risk of many online attacks while promoting a more secure mentality.

As a general rule, passwords should be both long and complex, something with high entropy. Pre-determined password criteria should be thorough, refusing passwords under 12 characters or passwords that don't have a mix of upper and lower case paired with numbers and special characters.

By employing a range of stringent rules, you can ensure employee passwords aren’t easily guessed and won't contain information such as birthdates, pets' names, sports teams, etc.

2. Nip unsecured sharing in the bud

Firstly, ensure that all employee accounts, wherever possible, are single user. The more people with access to a single account, the more chances for the account to be misused.

If it is exploited, you’ll have difficulty identifying the perpetrator or the weak link, putting your company at a greater risk of continued attack.

Secondly, don’t allow employees to leave passwords out in the open. This could include post-it notes or a company 'password spreadsheet'. Both of these are high-risk behaviors, and by allowing or encouraging them, you can put your company data at risk.

You can reduce the risk caused by unsecured sharing by using a password manager, which will remove the need to write it down and facilitate safe sharing practices.

3. Employ Multifactor Authentication (MFA)

By encouraging employees to implement MFA, you’re providing an extra layer of fool proof security. MFA requires multiple sources of verification to allow access to a particular app, file or piece of software. This can eliminate the monopoly cybercriminals have over a business once they gain access to a few passwords, providing a long-term, sustainable password and security solution.

4. Respect your space

Employees need to understand what they’re dealing with before they can respond efficiently. Educating them on best practices when using the web, such as adhering to security certificates and not clicking suspicious links, can help avoid attacks such as phishing and other malware-induced problems. This education paired with strong antivirus and antimalware software could be the last line of defense between you and a crippling breach.

5. Change up passwords regularly

Although the advice on correct password etiquette has changed over the years in many aspects, it’s still as important today as it was, in the beginning, to change passwords regularly. While it’s not encouraged to change passwords every month, like previously thought, it’s wise to encourage staff to change their passwords every three months. This change must be to another, secure, unrelated password, with no repeats of previous iterations. This process can be made more accessible by using a password manager, which negates employees having to remember different credentials every three months.

6. Embrace Single Sign-On solutions (SSOs)

Implementing systems that offer SSO functions is another guaranteed way of improving and elevating employees' password hygiene.

SSO is a process of authentification which allows employees to access their applications using only one set of login credentials.

While this service provides convenience and ease for its users, it can also help ensure that the right employees access the appropriate documents and have the correct authorization level. This added wall of approval can help in the fight to protect sensitive data from getting into the wrong hands.

Getting your employees on board with proper password hygiene is just the first battle. Maintaining this momentum and developing more robust and developed systems will ensure your business's data security, even as the threats evolve. It’s important to remember that providing a convenient method for employees, such as using a password manager or SSO, can ensure greater uptake and thorough execution of security measures.

Further reading:

• How to Help Your Employees Overcome Password Fatigue
• 4 Ways to Reinforce and Strengthen Your Password Protection
• From Passwords to Passwordless