ETech 7 Blog | IT Services, IT Support, and IT Security

Password Best Practices: Why You Need a Password Policy Template

Written by Andro Yuson | Aug 3, 2021 3:19:23 PM

Are passwords important? Does multi-factor authentication even work? Should your employees understand the difference between weak and strong passwords? These are just some of the most common questions that we get here at ETech 7. We can’t emphasize this enough - we always encourage our clients to come up with strong passwords. Put simply, passwords are your account’s first line of defense against hackers and other bad actors on the internet. 


Without a strong password, chances are you will be easily susceptible to brute force attacks and data leaks. However, having a strong password isn’t enough. You would also want to consider implementing a password policy. But before we dive deeper, let’s go back to basics. What exactly is a password?

What is a password?

According to TechTarget, a password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in tandem with a username; they are designed to be known only to the user and allow that user to gain access to a device, application, or website. Passwords can vary in length and can contain letters, numbers, and special characters.

 

If you’re unsure where to start, here’s a quick example. Let’s say you want your password to come from personal memory - maybe the city that you grew up in as a child? For example, let’s say you grew up in New York City - this will now be the “base” of your password. By base, we mean that this would be the word you think about when the screen asks what your password is. To make it stronger, you want to consider adding in a mix of special characters, uppercase letters, numerical characters, and punctuations. Check out some samples below:

  • N3wY0rKc1ty!
  • n3wy0rkc1ty$
  • NEwYOrk123$

 

We could go on and on - but you see the difference, right? You just made your base password a lot stronger by adding special characters, making it more difficult for hackers to access your account. But sometimes, coming up with a strong password isn’t enough. As mentioned above, you may also want to consider implementing a password policy especially if your company deals with a lot of sensitive data.

 

What is a password policy?

What exactly is a password policy for? It’s no secret that weak passwords pose a huge security risk to you and your business. One of the most common cybersecurity threats is password-based attacks. Without a strong password, you are more susceptible to attacks like password guessing/resetting, keystroke logging, rainbow tables, and dictionary attacks. We all know that passwords are an important aspect of cybersecurity. 

 

Why is a password policy important?

A password policy serves as a guideline that employees can turn to when coming up with a new password. A password policy may also specify the minimum number of characters for a password as well as the number of special characters, punctuation, and numerical characters a password should have before deeming a password valid. 

 

Password Policy Best Practices

Pay attention to password strength. There are a plethora of ways to come up with a strong password. May it be a password from personal memory that only you would know or one that is generated from an online password generator, it wouldn’t be classified as a strong password if you don’t mix in different types of punctuation, numerical, and special characters to make your password stronger. 

 

Computerphile, a Youtube channel about all things computers/technology, has come up with a video about choosing a password. The video goes into a deep dive of choosing the right password for you that's safe, secure, and unlikely to be compromised. Here’s the video: How to Choose a Password

 

Take advantage of MFA. Multi-factor authentication is an authentication method that places layers upon layers of security to an account. You, as a user, would have to provide two or more pieces of evidence to ensure that it’s really you that’s logging in - eliminating the possibility of a random automated cyberattack. SearchSecurity defines multi-factor authentication as a method that combines two or more credentials: what the user knows (your password) and what the user has (security token) and what the user is (biometric verification).

 

Always check your network access policies. In a nutshell, a network access policy protects a company’s network from unauthorized use. By limiting or controlling access to your network, you are effectively placing a security measure against bad actors that may want to harm your organization. Determining who can access your network and who can’t is a great way to minimize the risk of hackers getting into your system. This can mean restricting access to sensitive data across an organization or a company’s network as well as restricting access to the various types of applications used by a company.

 

Change passwords regularly. It doesn’t have to be every month. If you’re confident that you have created strong passwords, then you could implement a policy that requires your employees to change their passwords every couple of months. The rule of thumb for most companies is that passwords should be changed every quarter. However, there are also companies that require their employees to change their passwords every month. It all depends on you and the nature of the data that you are trying to protect. 

 

Use a password manager. Memorizing a unique password for every account that you have is a tedious and difficult task. While it’s generally okay to keep password lists on your computer (given that you’re the only one that uses the device), those lists aren’t fully protected unless they are encrypted. Thankfully, that’s exactly what a password manager does. Password managers are applications designed to generate, store, and manage all user passwords. At its most basic, password managers manage a user’s credentials in an encrypted manner. 

 

Password Policy Template

If you’re wondering where to start, here’s a quick walkthrough to assist you in developing your very own password policy template. Check it out below!

 

  1. Overview - In the overview, highlight the importance of having strong passwords as part of your company’s cybersecurity efforts. You can also include all users that are responsible for taking the appropriate steps when securing their passwords.
  2. Purpose - Here’s where you explain the purpose of your password policy template and why you think it’s important for your company to have one.
  3. Scope - In this section, you should include all personnel responsible for an account (or any form of access that supports or requires a password). 
  4. Policy (General Guidelines) - Your policy should include a detailed explanation of all of your policies. For instance, you should include password guidelines and how frequently passwords should be changed. As a general rule, you should also detail all password protection standards that your employees should observe.

 

While this may be an oversimplification of the things you should include in a password policy template, it’s a great place to start. Remember, a password policy should detail how passwords should be developed, stored, and updated. It should also encompass everyone that has access to your systems.

 

Key Takeaway

Technology is evolving at such a rapid pace that it can sometimes be difficult to keep up. While authentication technology is making leaps to better protect our data in the future, strong password policies seem to still be the benchmark when it comes to protecting a company’s sensitive information. 

 

If you don’t have the time to research best practices when it comes to password policies, we’re here to help! Here at ETech 7, we firmly believe that effective password management is crucial to a company’s cybersecurity measures. For more information, visit our website at www.etech7.com