The purpose of a password is to protect sensitive data from unauthorised access.
For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.
This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :
- Systems and data only used to be accessible in a single office, on a single device, on a single network, where we could easily identify the trusted people.
- Now, many (unseen) people can now work on many (known and unknown) devices on many networks on many different systems at many locations – How do you know what to trust?
- Cybercrime is now super-industrialised which means old defences are easily and cheaply beaten. Bad actors can easily be profitable targeting individuals, let alone small businesses.
- Attacks will happen – so you need to contain and limit the spread and damage that will occur.
However, Human Nature is unchanged:
The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.
- Use the same passwords for every system – once known, access everything!
- Predictable changes in passwords (e.g. !Password1 just changes to !Password2, etc.)
- Use the same special characters all the time ( ! at start / end, $” for “s”, “@” for “a,” “1” for “l”, etc.)
The new Best Practice Password System:
- Introduce 2-Factor Authentication for all systems (e.g. a separate notification on your smartphone to make sure it’s you).
- Passwords should be a small phrase (not a single word) that contain no personal information and are easy to remember – e.g. the first few words of your favourite song.
- Use a password management system so you can easily have different passwords for every system and not have to remember them.
- Introduce risk-based protection / analysis
- Automatically Report/ Block any logins from locations you will never travel.
- Automatically Restrict what unknown devices can do with your data – e.g. if its unmanaged, don’t allow edits / downloads, etc.
If you do this, then:
- Passwords can stay small – around 8 characters in length
- Passwords rarely need changing at all (every 12 months or only if a breach is suspected)
Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !
If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.