Creating a Password Security Policy for Your Organisation

Password protection has been a main focus in cyber security education for almost as long as computers have been around. Passwords can be seen as the keys to the kingdom when it comes to an organisation's IT assets.

When it comes to any physical assets, many organisations require employees to access their facilities using a key or key card. They have any open areas or vulnerable spaces monitored by security and ensure visitors or clients report to reception before being authorised to access the building. 

In many ways, passwords can be seen as the keys to an organisation’s virtual network and their IT assets. In this regard, they should be managed in the same respect as accessing an organisation's physical location to ensure any unauthorised access does not occur.



How Are Passwords Discovered?

According to a recent report, lost or stolen credentials remain the number one hacking tactic used by cyber criminals to commit data breaches, while compromised or weak passwords are responsible for 35% of all breaches. 

Cyber Attackers use a variety of techniques, including exploiting social and technical vulnerabilities to discover a password. The variety of techniques can include:

  • Password spraying - Attackers use a small number of password combinations that are commonly used in an attempt to access a large number of accounts.
  • Brute Force Attack - Concentrating on a specific account and using a system to automate the guessing of a large number of passwords until the correct combination is found. 
  • Social Engineering Attacks - Using phishing attacks, spear phishing and smishing to trick users into giving away sensitive information. 
  • Leaked Data - Using personal information and passwords leaked from data breaches to access other systems which may be using the same password. 
  • Insecure Passwords - Using passwords found on sticky notes near a device or within documents stored in a device to access accounts.

Having a robust password policy is key to ensuring all employees, whether remote or in office, have a clear understanding and awareness of how to effectively manage and store their passwords to ensure they don’t fall into the wrong hands.



What to Include in a Password Policy?

A password policy should be developed with both in office and remote employees in mind. It should improve IT security by motivating all employees to create dependable, secure passwords that are stored and utilised in the proper manner.

Normally, a password policy is part of the organisation's official regulations and may be employed as part of an organisation's overall security awareness training. 



Password Length

To create a robust password, it should be at least 12 characters in length. Find the right balance between length and ability to remember passwords. There is no point in creating a 32 character password that you will have difficulty remembering.



Adding Symbols and Numbers

Adding symbols and numbers to a password increases complexity and makes it more robust.



Exclude Dictionary Words

Don’t choose a dictionary word as a password. Cyber attackers can use a method known as dictionary attacks to attempt to crack account passwords based on the words found in a dictionary. 



Password Reuse

Avoid using the same passwords on multiple accounts. If a password is recycled across different accounts, and a breach occurs, the supply of valid passwords for cyber security hack increases and the threat to an organisation becomes more critical.



Use a Password Manager

Password managers are essentially encrypted digital vaults used to generate and store passwords for multiple accounts. The software locks all passwords behind one single, strong master password. Meaning only the master password needs to be remembered by the user.



Multi-Factor Authentication (MFA)

Any account that needs a password should have Multi-Factor Authentication (MFA) enabled. MFA will generate a random token which will need to be supplied in addition to an account's password. These tokens can be sent to the account holder's mobile phone via SMS or can be generated through an app such as Google Authenticator.



Train Your Team on Password Best Practice

Education is key to ensuring your organisation is protected from cyber security attacks caused by weak passwords. There is a lot of conflicting advice on what constitutes a secure password online so it is crucial that employees understand best practise and are fully versed on what the organisation's password policy requires of them. Training should include information on:

  • The risks of recycling passwords over multiple accounts
  • How to create a strong and secure password
  • How to use a password manager for password management and password generation
  • How to enable Multi Factor Authentication on all accounts



How can we help?

We hope these tips on password security gives you a better understanding of how to develop a robust password security policy and what exactly you need to train your employees on.

However, these simple recommendations can only go so far.

Secora Consulting provides a range of services that can help you to assess the security of your organization. Our cyber security assessment focus on gaining an insight into weaknesses in their current security posture which may leave them vulnerable to the most common cyber-attacks.

Our baseline assessments focus on quickly bringing your systems in line with best practices by identifying missing patches and known issues in your systems. If you are interested in a more in-depth assessment of your infrastructure, ask us about our penetration testing services, where we will identify and exploit vulnerabilities in your network, showing just how far an attacker could get. Get in touch with us today to discuss your specific requirements.



Further reading:

watermark secora outline

Our services

All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.

Get your questions answered.

We take the time to listen to your business concerns so that we understand your security requirements. Understanding your needs allows us to provide you with accurate findings to real business risks.