Select Page

Password Policy Best Practices for Small- and Medium-Sized Businesses

Computers, Science and Technology

An image of multiple screens with username and password fields, representing the need for a business to follow password policy best practices in order to protect networks and data across devices.

Compromised login credentials—email addresses, usernames, and passwords—are a common root cause of cyber hacks and security breaches. IT professionals have been harping on this topic for years, yet the numbers show that password protection is still a very serious problem that is not being fully addressed by many businesses. Unlike many issues in the IT realm, the solution in this case is relatively simple: adhering to password policy best practices is one of the most effective ways a small- or medium-sized business (SMB) can fend off potential cyber security incidents.

It’s as Important as Ever for Businesses to Follow Password Policy Best Practices

For years, studies and surveys have found that credential vulnerabilities are a major point of weakness in cyber security systems. In 2019, the Verizon Data Breach Investigations Report found that 80 percent of hacking-related cyber security breaches involved weak or compromised passwords, down only one point from 81 percent in 2017. And, in 2019, 29 percent of all breaches involved the use of stolen credentials.

The Importance of Password Protection

Clearly, many of us are failing to take password protection seriously and adhere to password guidelines and best practices. It is critical that businesses of all sizes take action and develop a company culture that respects the importance of password protection.

In many professions–law, medicine, and finance, to name a few—practitioners have a responsibility to their customers or clients to take reasonable care to maintain the confidentiality of personal information. In the age of digital information, this has become increasingly difficult. Some cyber security incidents can occur even when reasonable care has been taken. Credential-related incidents, though, are an area in which a person’s reasonable care, or lack thereof, can be the determining factor in whether or not a breach occurs.

Government regulations, like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, add yet another layer of responsibility and potential consequences for businesses. Additional regulations are likely in the near future, as states and the US government mull over the best ways to protect consumer privacy online.

Common Attacks Should Inform Your SMB Password Management Policy

The best place to begin when creating or revising an IT security policy of any kind is to identify your SMB’s potential risks and threats. Your password management policy should be informed by knowledge of the common types of password-related cyber security incidents, how those threats work, and how you can defend your network and systems.

Brute force attacks use a program that runs mass combinations of letters, numbers, and symbols in the hope of successfully cracking a password. Dictionary attacks attempt to do the same with words from the dictionary in combination with numbers and other characters commonly used together in passwords. Social engineering attacks, like phishing emails, take a different approach, with the hacker masquerading as a trusted person or entity in an attempt to persuade users to divulge credentials under false pretenses.

Password Guidelines and Password Policy Best Practices

The vulnerability of a single user account or device can result in a breach of an entire business network. Developing a solid password policy that includes password guidelines and training of employees on those guidelines and the importance of password protection can help companies prevent avoidable cyber security incidents. Password guidelines might require that employee credentials meet the following criteria:

  • Passwords are longer than eight characters and include letters, numbers, and symbols (though some recommendations favor length over diversity of characters).
  • Passwords do not use personal information that is easy to discover, such as names of pets or loved ones.
  • Usernames and user IDs should not be the same as passwords.
  • Passwords should avoid words found in the dictionary.
  • Different passwords should be used for each account.

In addition to establishing password guidelines for all business accounts, the following password policy best practices are useful in creating an SMB password management policy:

  • Determine the frequency with which passwords must be reset.
  • Identify best practices and guidelines for employees accessing personal accounts on devices used for work-related matters.
  • Outline procedures for password sharing and storage in devices.
  • Include a lockout requirement after a specific number of failed login attempts.
  • Establish guidelines, best practices, or requirements regarding multifactor authenticationl
  • Identify technical steps to be taken to ensure policy adherence.
  • Outline a training procedures and schedule to ensure full and ongoing employee knowledge of policy, password guidelines, and the importance of password protection; an.
  • Identify and implement evaluation strategies and remedies for employee failure to adhere to company password policy.

Password Policy Best Practices: the Pros and Cons of Password Manager Applications

Another practice to consider when developing a password management policy is the use of a password manager or recommending the use of password managers to employees. When making this decision, company leaders or IT staff should consider the pros and cons of password manager applications.

Password managers are software or applications that allow users to store encrypted username and password data in a single system with one master password. Since it is difficult for people to remember various usernames and passwords for the many websites and applications we use today, and duplication of passwords and creating a written record are both discouraged, password managers offer an appealing solution.

However, storing all of your credential information in a single system under a master password does have its own risks. If you forget your master password, it could be very difficult for you to recover all of the credentials stored in the password manager. The degree of difficulty will vary depending on the settings and features of the application used.

There have also been instances of hacking of password manager systems. You can probably imagine the degree of inconvenience and potential risk that would result if all of your user credentials were compromised at once.

Still, after a weighing of the pros and cons of password manager applications, many IT professionals do recommend them. If they choose to use password management systems, business owners and IT decision-makers should thoroughly evaluate and vet potential vendors and decide if implementation will be on an individual or organization-wide basis.

A Final Word on Password Management Policy

Despite the importance of password protection, credential-related incidents will probably continue to be a leading weakness in cyber security. That doesn’t have to be the case for your business. Following password policy best practices is a simple step company leaders can take to prevent costly and embarrassing security breaches from occurring.