6 Best Practices for Personal Password Management

Fully Managed offers a bounty of resources for businesses seeking to protect themselves from cybercrime. While we recommend sharing this information with your staff, downloadable white papers included, it is necessary for them to grasp one of the most important concepts in cybercrime prevention - personal password management.
A given employee’s day to day online activity is often the gateway for a hacker on the hunt to take down a corporate entity. That breach is more often than not the result of a poorly protected password. Recent reports show that over 80 percent of these breaches succeeded through stolen or weak passwords. Even more concerning, is that the instances are on the rise, increasing by a total of 18 percent when compared to the year prior.
Clearly, enhanced education about password protection must be passed on to your staff. This is especially true for businesses that count remote workers (full or part time) amongst their human resource matrix. Remote staff may be accessing sensitive information from their laptops and mobile devices and not following the same stringent guidelines found in the office environment. In providing education on personal password management to everyone in your corporate hierarchy, you will effectively protect your organization from the prying hands of cybercriminals.
Today, Fully Managed is here to provide an easy-to-digest guide on how keep hackers from hijacking that string of characters used to authenticate identity.

Six Personal Password Guidelines that Will Help Keep You Free from Cybercrime in 2018 and Beyond

1. Scheduled Password Resets 

Everyone knows that they’re supposed to change their passwords often, yet few actually stick to the pledge. Thankfully, if your organization uses a business software platform such as Microsoft 365 or G Suite, a maximum password age can be preset to dictate how long you can keep a password before you have to change it. For most small and medium businesses, 30, 60, or 90 days are sufficient values for forced password resets. As an individual, 90 days is just fine, unless you manage sensitive data often, or if a recent event has given you cause for concern.
However, given that not all activity will take place in the office, on company devices, and through company endorsed messaging apps, you should adopt this “best practice” at home too.

2. Keep it Complex

We know it’s tempting to use a password that draws upon a personal connection (nickname with DOB, etc.) but you should always assume that a cybercriminal already has some personal information about you. This info can be used to crack the code and expose a password. Instead, be sure to follow the following protocol when generating your passwords:
  • Passwords must have at least six characters.
  • Passwords can’t contain your name or parts of the your full name, such as your first name.
  • Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.

3. Don’t Give it Up 

Have you ever been out on the road and called someone back at the office (or home) with the following request “Hey, I need you to login into my…”. While they may be able to provide that essential bit of information you need before a sales meeting, the act can one day return to bite you in the backside. Under no circumstance should you provide anyone with your password, no matter how much you trust them. The recipient may leave the company one day, or may simply be careless with the knowledge they now have.

4. Don’t Write it Down

No one should ever write down a password, be it digitally or pen to pad. Your smartphone, laptop, or notebook can be stolen, lost, or left behind at a local cafe, and fall into the hands of the ill-intentioned. If you must jot it down in a pinch, separate the characters and take note of them in two different places. For instance, if your password is “ExamplePasswordABC123!” write “ExamplePassword” in one place, and store the other half (“ABC123!”) elsewhere, until you can commit it to memory (soon).

5. Don’t Allow Your Computer to Remember It 

We know it’s convenient to agree to the “allow this device to remember password” prompt, which allows you to jump right back into where you left off with ease, but please do deny yourself the convenience for the sake of safety. Again, if your laptop or mobile device is lost or stolen the password autofill function gives up the goods to whomever has it.

6. Use a Password Manager 

One of the wisest moves you can make is to use a password manager. The tool will generate a unique and strong password for every account and application that you use. It will do so without requiring you to memorize or write down (as per item #4 above) the complex (as per item #2) strings of characters and will effectively help protect you from common password attacks, including dictionary, rainbow table, or brute-force attacks. Top password management system capabilities include encryption, cross-platform and cross-browser synchronization, mobile device support, secure sharing of credentials, and support for multi-factor authentication. CSO has provided an updated 2018 list of top password managers for Windows, MacOS, iOS and Android.