One area where a lot of organisations fall short is password security. This represents a major risk. Individuals frequently choose weak passwords and reuse the same password(s) multiple times. For example, research by the NCSC and security researcher Troy Hunt found that the password “123456” had been used 23 million times in breaches that Troy analysed.
Attackers commonly utilize lists of the most frequently used passwords when attempting to gain access to either your device or accounts.
However, there is no need to panic. According to the NCSC, “(p)asswords – when implemented correctly – are a free, easy and effective way to prevent unauthorised users accessing your devices or accounts.”
When using passwords, the NCSC suggests 5 Password Tips for SMEs to keep in mind
Tip 1: Make sure you switch on password protection
This may seem obvious, but many people forget to do this, particularly on devices like smart phones or tablets. To ensure protection, you should set a screenlock password, PIN, or other authentication method (such as fingerprint or face unlock).
You should also ensure that your office equipment (i.e. laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Most modern devices have encryption built in, but you may still need to configure and enable it.
Tips 2: Use two-factor authentication (2FA) for ‘important’ accounts
Wherever possible, you should enable 2FA for any of your accounts. It adds a large amount of additional security for not much extra effort. 2FA requires two different methods to prove your identify before you can use a service or access an account, usually a password and one other method (e.g. PIN, a code sent to your phone, fingerprint scan, etc.).
Tip 3: Avoid using predictable passwords
As mentioned above, predictable passwords are used with alarming frequency. To help avoid this, the person in charge of IT within your organisation should give staff actionable information on setting passwords.
As a general rule the NCSC suggests you think of passwords that are easy to remember, but hard for someone else to guess. Staff should also avoid using the most common passwords, which criminals can easily guess. The NCSC has some useful advice on how to choose a non-predictable password.
Tip 4: Help your staff cope with ‘password overload’
There are several things you can do to improve your security. Your staff have numerous non-work related passwords to remember, so enforce password access to a service only only if you need to. Wherever you use passwords to access a service, you should only enforce password changes when you suspect a compromise of the login credentials.
As staff tends to forget passwords, you should make it easy to them to store and reset their passwords. A way to store passwords but also to create is using tools like password managers. In that way you can store all your passwords under a ‘master password’, which will have to be a strong one. A good example of creating a strong password is using 3 random words.