Password etiquette in the workplace is crucial for maintaining cybersecurity. Best practices for password management in 2023 involve several key strategies:
- Minimum Password Length: Passwords should be at least eight characters long, as longer passwords are more secure than complex shorter ones. Shorter passwords can be hacked within a few minutes, whereas longer ones provide significantly more protection against hacking.
- Show Password Option: Allowing employees to see the passwords they type can reduce errors and lockouts, encouraging the use of more complex passwords. This practice is endorsed by NIST (National Institute of Standards and Technology) as it eliminates guesswork and reduces stress.
- Limiting Failed Password Attempts: Temporarily barring access to accounts after a certain number of incorrect attempts and locking out entirely after 100 attempts is recommended. This includes using CAPTCHA tests to ensure that access attempts are made by humans, not automated systems.
- Using Two-Factor Authentication (2FA): Alongside passwords, 2FA provides an extra layer of defense, making it harder for unauthorized users to access systems. Different 2FA options include using separate authenticator devices or U2F security keys.
- Avoid Frequent Password Resets: Frequent password changes can lead to the creation of weak, easily hackable passwords. NIST advises against making users reset passwords too often to prevent password fatigue and maintain the quality of codes.
- Copying and Pasting Passwords: Contrary to common belief, allowing users to copy and paste passwords can improve security by reducing errors. This practice is supported by NIST’s guidelines, as it facilitates correct password hygiene.
- Using Passphrases: Longer passwords, especially those that are 15 characters or more, are more secure. Using passphrases, which are essentially sentences or combinations of words, can be an effective and memorable way to create secure passwords.
- Avoiding Dictionary Words and Names: Simple words and names are easier to crack. Passwords should avoid dictionary words, simple number sequences, and personal names to enhance security.
- Blocking Password Reuse: Users should not reuse passwords across different platforms or alternate between a limited set of passwords. Password screening services can help prevent common password use across systems, and password reset systems within an organization can be designed to avoid repeat use of previous passwords.
- Screening for Common Passwords: To prevent users from choosing easy-to-remember but insecure passwords, systems should screen passwords against a dictionary. This is especially important in multinational systems, where the dictionary should relate to the language of the user.
- Using Password Managers: Password managers are still considered a great tool for managing passwords. They generate strong, random passwords, and are secure when used with a strong primary password.
- Encouraging Originality and Complexity: Passwords should be unique for each login and complex enough to avoid being easily guessed or cracked. This can be achieved by combining length, complexity, and uniqueness in password creation.
Implementing these best practices for password management can significantly enhance an organization’s cybersecurity posture and protect sensitive information from unauthorized access.