The Password Habits Hackers Hope Your Company Hasn’t Adopted

While many of the recent breaches like LinkedIn and Twitter have focused on the impact on consumers, rather than businesses, it doesn’t mean that it can’t happen to a company, big or small. The reality is, hackers want access to anything they can get their hands on, especially if it’s valuable on the black market. As a CEO, owner, or even IT Manager at a company, you have a lot more at stake than just one consumer, but are you doing everything you can to protect the company from an attack?

To help you evaluate your company’s current password habits and what else you should be adding to your toolbox, we’ve put together a list of password and security practices that most hackers hope you’re not following. Not only will it make their jobs a lot more difficult, you may even head off an attack entirely:

Set up password strength requirements: This sounds like a given, but many companies still don’t enforce password strength requirements, which means their employees are using simple, insecure passwords. Or, they stop at telling employees what they should do, but don’t actually have a way to verify they’re doing what they should be. As a company, you should require employees to create lengthy passwords including upper and lowercase letters, numbers, and characters. You can also block people from using their first or last name, the company name, or even ‘password’ in their passwords. But go beyond that, and give your employees tips such as use passphrases that don’t really make sense but are easy to remember.

Require password changes: Password reuse is one of the biggest reason that accounts are getting hacked these days. Require your employees to change critical passwords – computer, email, important data access – every few months or so, and especially after there has been any suspicious activity or known security issue.

Have a password manager (and actually use it!): With all of these requirements and unique passwords, it’s very hard to practice good password habits without some help. That’s where a password manager comes in. A password manager like LastPass helps you store all of your passwords in one secure place. But most importantly, you have to update your passwords so that each one is strong and unique so it can protect your accounts the way you need it to.

Establish levels of access: For those accounts with the company’s most sensitive information, such as server credentials and SSH keys – called privileged accounts – you need to take even more care to protect against threats. The first step is to ensure that not everyone has access to them. Only delegate access to those who truly need it, and regularly re-evaluate if those people still need it.

Automatically rotate passwords: Once an employee accesses one of these privileged accounts, it’s possible they’ll know the password. To keep the account truly protected, you’ll want to change the password after each time that it’s accessed. With business-focused password managers, this can be done automatically and without hassle to end users or IT admins.

Review activity reports: Monitor activity on all company databases, especially to privileged accounts, with reports that include data on which account was accessed, by which user and when. If there is a problem, you’ll know about it and will be able to identify who was accessing the account at that specific time.

Educate employees: Your company is only as strong as your least-informed, most insecure employee. Your IT department could be following all of the practices above, but that means nothing if your employees aren’t following good practices as well. Educate employees on what it means to have secure passwords, and on how to use a password manager to help them put those best practices into action. This means not only creating strong passwords, but also not sharing them with co-workers or others, using a password manager to store passwords, changing passwords often, and using unique passwords for every single account.

While it takes time to implement these changes, the security and productivity benefits you’ll experience across the organization more than compensate for the initial investment. Get started today with a free trial of LastPass Enterprise.

One Comment

  • Daniel Bobke says:

    I would argue that password reuse does not offer much added benefit if you are already enforcing long and complex passwords or passphrases. Human nature tends towards the path of least resistance, so if someone developed a passphrase that they committed to memory, they are not going to alter it substantially if forced to change it (typically, they will alter the last character or the first character).