Weak passwords are one of the leading causes of data breaches, making it essential to use and enforce secure practices. As threat actors begin to leverage more advanced tactics to steal credentials, such as AI-assisted phishing scams, your business will need to respond with stronger password protection policies, multi-factor authentication (MFA), and education to protect data.
But what is a strong password policy? And how can you create one?
What Is a Strong Password Policy?
This is a set of rules governing how users create and manage passwords to enhance security. It typically includes guidelines on password length, complexity, and best practices, all aimed at reducing the likelihood that credentials will be compromised.
For example, such a policy may require passwords to:
- Be at least 12 characters long.
- Include a mix of uppercase letters, lowercase letters, numbers, and symbols.
- Avoid commonly used passwords or personal information.
A good policy will also set boundaries about when and where, if indeed at all, passwords may be appropriately shared for work purposes. These rules help make staff more resistant to brute force, dictionary, and social engineering attacks.
Discover the most common cyber-attacks threatening your business
What is a Fine Grained Password Policy?
Traditional policies focus on blanket rules applied across your whole business. A fine-grained password policy, on the other hand, allows administrators to create customised rules for specific user groups or departments. For instance, executives handling sensitive data may require stricter rules than those at the bottom of the ladder who only handle publicly available information. That is not to say that strong password practices shouldn’t be encouraged across the board – remember that the point of a fine grained policy is to add extra protection where needed, not to take it away.
How to Get a Fine Grained Password Policy
Microsoft Windows makes it simple to get a fine grained password policy using Active Directory Domain Services. To accomplish this, follow the steps listed here. Otherwise, an external IT provider can complete this process for you if need be.
Setting an Active Directory Password Policy
How to Configure an Active Directory Password Policy
Active Directory doesn’t just assist with fine grained passwords – it also simplifies the process of implementing and enforcing password policies across an organization. This is done using Group Policies, which can be found under Users and Computers.
The Importance of Strong Passwords
To understand password strength, you first need to know how threat actors crack them. Most of the time they will use either a ‘brute force’ attack, which simply tries many combinations until the correct one is found, or they will search the target’s online presence for clues. These tactics are effective because many users find strong passwords too difficult to remember, causing them to fall back on repeated, personal, or weak passwords that they are less likely to forget.
A strong password is one that is resistant to both of these attack methods. Some guidelines to follow include:
Do not use passwords that are easy to guess, including ones connected to personal information that may be found online. Do not use names, birth dates, or other significant details.
Do not re-use the same password across multiple sites. The first thing threat actors will do upon cracking one password is try it on other accounts. If the same credentials are used across all sites, this means they will have access to everything with very little effort.
Use passwords that are long and complex. Each character creates another barrier threat actors must cross before reaching company accounts. In fact, ‘passphrases’, which are long strings of disconnected words, are currently being recommended over the traditional lowercase-uppercase-number model. This is because many users will simply choose the shortest or most personal password possible so as to avoid forgetting it. A passphrase can be longer without sacrificing memorability.
If you find that employees are struggling to remember their passwords, consider investing in a password manager. This will store all login credentials for them, removing the temptation to resort to poor practices.
MFA: A Necessary Layer of Security
MFA adds a second layer of protection, requiring users to verify their identity using an additional factor. Some examples include:
- A one-time passcode sent via SMS or email.
- Biometric authentication like fingerprints or facial recognition.
- Push notifications from authentication apps (e.g., Google Authenticator).
- A physical token such as a YubiKey.
MFA mitigates the risk associated with stolen credentials. Even if a password is cracked, threat actors will not be able to access the account without the secondary verification method.
Best Practices for Combining Password Policies and MFA
Strong passwords and MFA work best together, creating a layered defense against cyber threats. To implement these measures effectively:
- Regularly audit and update password policies to reflect current best practices.
- Implement MFA wherever possible, and require it on every sign-in.
- Combine fine-grained password policies with MFA for high-risk users or applications, to provide additional security.
- Conduct routine employee training to reinforce best practices.
FAQs About Passwords and MFA
Is MFA necessary for my small business? Yes. MFA is a cost-effective way to significantly enhance security, especially for businesses with limited IT resources.
Can password managers be trusted? Reputable password managers encrypt your data and are far safer than reusing passwords or relying on memory.
Find Your Biggest Vulnerabilities
The prevalence of password-related data breaches requires a strong, proactive approach to security. This threat is preventable if the right solutions and policies are implemented, creating a multi-layered defence that threat actors will find it difficult to breach. This will allow your business to focus on growth, instead of constant security threats.
If you’re struggling to find the weaknesses in your security posture, National IT Solutions can help. We offer comprehensive audits to identify and address your biggest vulnerabilities, strengthening your defences against even the sneakiest cyber-attacks. Contact our team to find out more.
