We use passwords all the time in everyday work – for example to connect to the WLAN in the office, check our e-mails or to gain access to data. Often it is just a password that protects sensitive data from attackers. It is all the more important that we understand its importance for the security of the company.
Passwords are an effective tool to protect companies from cyber attacks. At the same time, compromised passwords are still one of the main causes of data theft. In 80 percent of those cases, the passwords are hacked, according to Verizon’s 2020 Data Breach Investigations Report. Since employees typically use a variety of passwords, a company’s attack surface is quite large. Additionally, the LastPass Password Psychology study shows that 65 percent of users use the same or a similar password across multiple accounts. This further increases the risk of a hacker attack.
An effective password policy can help. It establishes rules that employees must follow when creating, using, storing and sharing passwords. This includes, among other things, that they are not allowed to send passwords electronically to colleagues and must change them at regular intervals. It also defines the consequences of (intentionally or unintentionally) improper handling of login data. An effective password policy educates employees on best practices and good password hygiene—thus strengthening an organization’s cyber defenses.
An effective password policy…
- is clear and understandable, avoiding technical and legal jargon so that all users can understand it;
- is easily accessible in the company’s employee handbook or intranet;
- is based on best practices such as using a password manager and two-factor authentication and does not require frequently changing passwords or security questions;
- uses special technology to promote the correct handling of passwords in everyday work life, instead of relying on users, many of whom are untrained in creating secure passwords;
- provides the IT department with a central way to manage and monitor password security in the company;
- updated by the IT department as the threat landscape changes;
- is communicated to the employees in regular training courses.
No matter how well-formulated the password policy is, the real challenge is effectively implementing and monitoring it. Only then does it offer effective protection against cyber attacks. As a first step, companies should therefore draw up a plan on how to integrate the guideline into the existing structures. For example, settings can be activated in the directory or SSO service that display the company’s password specifications.
A password manager, such as LastPass Business, also allows organizations to centralize password security monitoring and requirements. The tool provides more than 100 policies that IT administrators can adapt to their company. With an effective password manager, password policy is more than writing down rules. With it, employees have no choice but to create and use strong passwords for every login.