Password Policy: Your First Line of Defense

With new more stringent data security laws and newer more complex threats from viruses and hackers one of the most important barriers between your business and major problems is instituting a strong password policy across the board. Too often individuals and organizations have issues that can be caused from either not rotating passwords, password sharing across multiple accounts, failing to require complexity in the passwords, or even having no password at all. This can leave systems subject to being hijacked by spammers, being more susceptible to malware infections, compromised by malicious persons looking to wreak havoc on a network, or simply leave you vulnerable to legal and financial repercussions in the event of a data breach.

password policy lock

If an email account in your system were to be compromised, it could send out hundreds, if not thousands of messages before the breach was noticed and would likely lead to the server being placed on a blacklist. Blacklists are tools designed to stop spammers by keeping track of spamming servers and blocking them until removed. This can cost time and money, and be a source of embarrassment for your organization. Virus infections will typically also try to exploit the lack of a password on an account as a way to spoof the user’s permission to load in more infections, send out spam email and even steal data. In addition to that, having older unchanged passwords could allow a disgruntled former employee to gain access to information so they can manipulate, delete, or even share confidential and important data. Again. this can cause downtime. as well as potentially leaving you vulnerable to further penalties due to industry and state specific regulations.

So what can you do to prevent these kinds of issues? Implementation of a strong password policy is the easiest way to be sure you’re limiting your potential risk factors. A strong password, as defined by Microsoft, is one that is at least seven characters or more including at least one upper and lower case letter, one number, and one symbol. Ideally, dictionary words should be avoided (even if they’re just part of the password) and the password should not be conforming to a scheme for all users that would allow knowing one password make others less secure. Conforming to these statuses dramatically increases anyone being able to guess the password either through basic logic or with a “dictionary attack” where an automated program will keep guessing patterns. Password sharing and or having passwords publicly displayed in an office (i.e. a post-it note in on a monitor) should be strictly avoided. Passwords should be rotated in regular intervals (at minimum 1-2x per year depending on the type of data access) and when an employee leaves, any passwords that he or she may have had access to should also be changed. Any setup where multiple user accounts are using the same password should also be avoided proactively in advance. so as to prevent a situation where one employee leaving requires everyone to change their password.

Certain industries (financial and health care, in particular) may be subject to stricter regulations, but following those basic guidelines helps your organization to avoid unnecessary and preventable headaches. As with any “best practices”, they certainly are not 100% foolproof but you will put your organization in the best position to not get bogged down with problems that could have been easily prevented with a proactive approach to security. If you have questions about passwords on your systems. contact us anytime at 866-9MH-TECH or email us at support@mhconsults.com.