Password Best Practices

“Change your password” is ubiquitous in most IT and business circles. It seems like sound advice. If passwords change regularly criminals have less of a chance to steal money, assets and wreak havoc.

We all know that changing your password regularly is annoying and frustrating. What we’ve seen for ourselves, and with our clients, is that password changes lead to weaker passwords. Password sharing and the worst of all security breaches, the “post-it note password” on the monitor syndrome are also terrible practices.

Password changes alone will not stop hacking and cybercrime. We like the approach we’ve read on How-to-Geek and encourage you to check out the article. How-to-Geek is not the only one promoting a new approach to password management. It is time to rethink how we manage passwords as individuals and as business people. To be clear, we’re not advocating doing away with password changes. There is value in the practice. However, reevaluating password change theory and password best practices is a good thing.

Here’s a brief summary of some of our favorite insights and tips of password best practices.

  1. Good passwords are hard to remember.

Because passwords are difficult to remember, people tend to make weaker passwords when forced to change that one, really good one they can remember.

  1. Changing passwords does not deter cybercriminals.

Most criminals are looking for a quick score. Hackers and thieves want to use your information, get what they can get, and disappear. Cybercriminals typically don’t hold on to passwords to commit a crime three months from now. The real task is making strong, unique passwords from the start.

  1. Your password is always vulnerable.

Are you one of those people who use the same password for everything? The odds are, your password is constantly leaked whenever a new site is compromised. Instead of changing the same password on different sites, make unique passwords for every site. Can’t remember them all? See our next bullet….

  1. Look into a good password manager.

Investigate LastPass or KeePass. These services store your site-specific passwords and allow you to access them when needed. In some specific instances, we’re not against writing the password down if you secure it properly. A safe deposit box or a home combination safe is ideal. Don’t leave passwords in an envelope in your desk.

  1. Businesses’ IT policy should be purposeful.

Corporate IT departments should have a strong reason for forcing password changes. A specific event, like a hack, virus, or a disgruntled employee, qualify as a real threat.

Check out How-to-Geek’s article to learn more about password management, and be sure to read our blog about Basic Cybersecurity Training for Employees for more ways to protect your small business.

If you want to talk about your company’s current password policies or want more password best practices, contact us! We’re always happy to chat IT.