How to Implement a Strong Password Policy

A password policy is an effective way to enforce email password guidelines and help keep your business secure. 

Cyberattackers often use lost or stolen credentials to gain unauthorized access to systems and launch cyberattacks. In fact, more than 50% of all cyberattacks originate from an email-based compromise, according to At-Bay security research.

To prevent attackers from gaining access to your business email accounts, we recommend implementing a password policy that incorporates the following strategies to protect your business and avoid email compromise.

1. Use longer passwords

Attackers use methods like brute force attacks to gain access to your accounts. In a brute force attack, an attacker runs a program and checks all possible combinations of letters, numbers, and symbols until the password is found.

Every additional character you use in your password exponentially increases the time it takes for an attacker to successfully crack it. We recommend a password policy that requires all passwords to have a minimum of 12 characters each.

Adding a mix of numbers, symbols, uppercase letters, and lowercase letters to the password makes it very difficult to execute a brute-force attack, which is why long, complex passwords are more secure.

2. Never reuse passwords

When a large-scale data breach occurs, email addresses and passwords are often leaked online. If you reuse credentials across multiple accounts, and one of them gets compromised, attackers can easily access your other accounts as well.

If you always use a unique password for each account, your other accounts will remain secure — even if one is compromised in a breach. We recommend a password policy that prohibits variations of your existing passwords (e.g., password1, password2).

3. Never use personal information

Many people use names, birthdays, phone numbers, and other personal details in their passwords. While it often makes a password easier to remember, that information is also potentially available online and accessible to attackers.

We recommend using random combinations of uppercase letters, lowercase letters, numbers, and special characters to increase the complexity of your passwords and reduce the likelihood of a breach.

4. Always change passwords after a compromise

Large-scale data breaches occur on a near-daily basis. The passwords exposed in these breaches are publicly available as a data dump, and users are often unaware if their passwords are exposed. 

If you’re a user at an organization where a breach is reported, immediately change your password — even if your account seems unaffected. You can also use products (like Securden Password Vault for Enterprises) that proactively scan the information in data dumps to check if any passwords stored in the product match the passwords exposed in known data breaches.

5. Never text or email passwords

If you share a username and password with someone over email or text, your credentials can be exposed if their email account or device gets compromised — even if that person never shares your information with anyone else.

If you need to share credentials with another person, we recommend a password policy that requires using a secure method, such as a password manager.

6. Avoid password recycling

Similar to never reusing the same password for different accounts, you should also avoid recycling old passwords. We recommend a password policy that includes a minimum password age, which requires a specific number of days a password must be used before the user can change it.

Without a minimum password age, users are more likely to change their password multiple times within a few minutes and reuse their previous password.

7. Establish password audits

Periodic password audits can help you ensure everyone on your team is following all of the rules in your password policy. Once you have clearly defined rules in place, establish regular audits and track every team member’s compliance individually.

8. Implement multi-factor authentication

Multi-factor authentication (MFA) is a security setting that requires you to provide more than one method of verification to gain access. Attackers often use stolen usernames and passwords to access systems and deploy ransomware, which is why adding an additional verification method that cannot be stolen can help prevent an attack. 

Implementing MFA provides an extra layer of security, requiring at least two authentication factors to access an account: something you know (password), something you have (a one-time authentication code generated), or something you are (fingerprint). 

The most common and safest verification method is an authenticator application, such as Google Authenticator, which is recommended over text messages or phone calls. We recommend implementing MFA for email, internal applications, remote network access, and any external-facing systems.

9. Use a password manager

Writing passwords down on paper or storing them in a spreadsheet are dangerous ways to manage your passwords. Instead, the most effective solution to maintaining overall password hygiene is to use a password manager. A password manager helps you create strong passwords and stores them for you in a secure digital space.

Many of our above recommendations are easy to implement and can protect your business from cyberattackers. However, if you do not have the in-house technical resources to implement these strategies, please contact your IT provider.

Visit our Knowledge Center to learn more ways to help your business stay secure

About At-Bay

At-Bay is the InsurSec provider for the digital age. By combining world-class technology with industry-leading insurance and security expertise, At-Bay was designed from the ground up to empower businesses of every size to meet cyber risk head on. Our InsurSec approach provides end-to-end protection for modern businesses. It’s a force multiplier that includes security, threat intelligence, and human experts to close the SMB cybersecurity gap — all as part of their insurance policy.