Create a password policy for your business

A password policy is a good way to make sure your staff has the right information to help keep their user accounts safe, and the business’ networks and systems secure.

If you manage staff in your business, at some point they’ll need access to your network. This means you’ll need to put measures in place to keep their access secure. Strong passwords are a good place to start.

Creating strong passwords for network accounts is an effective way to protect your business and keep it safe from attack. The first thing you need to do is make sure your staff understand what a good password is, and why it’s important. As a rule, passwords should:

  • be unique — used for one account only, not reused across many accounts
  • be long and strong. A passphrase made up of four or more words is often better than a password (and easier to remember)
  • not be based on personal information. For example, don’t use your pet’s name as your password. Personal information like that is easy to find online. It’s often the first thing an attacker will use when trying to access someone’s account
  • be kept safe. Encourage your staff to use a password manager to store their passwords in.

We’ve put some guidance together on creating good passwords that you can share with your staff.

How to create a good password

What you need to do

If you want to make sure your staff create strong, unique passwords for their accounts, you need to give them the tools to do so. This could mean updating your password policy.

If you manage your own network, you’ll need to:

  • review the rules around what kind of passwords your system will accept
  • define rules that will stop the system accepting weak or common passwords

If you manage your network on a cloud service, you might not be able to set the rules around password use. However, you can encourage staff to use good passwords and teach them why it’s important.

1. Ask your staff to set strong and unique passwords instead of asking them to change their password regularly

Asking staff to change their password regularly is counterproductive to good password security. People choose weaker passwords when they know they have to change them often. For example, they might simply change their password from Password1 to Password 2. Instead, ask them to create one long, strong and unique password for their account.

If your system currently prompts staff to change their password on a regular basis, change the setting. Staff should only have to change their password if you suspect their account, or the business network, might be compromised in some way.

2. Ask for longer passphrases

A passphrase of four or more words is stronger than a mix of characters, symbols and numbers, and it’s easier to remember. For example, ilikeeatingbreakfast.

Some password systems set rules asking staff to include a mix of symbols, letters and numbers. The problem with these rules is that people tend to use predictable methods to meet these requirements. It often means they will tag a ? or ! to the end of their password so that it includes a symbol. This creates passwords that are hard to remember. Instead of imposing a set of rules like this, ask your staff to use longer passwords or passphrases.

3. Encourage staff to use two-factor authentication (2FA)

Using 2FA adds an extra layer of security to accounts. It is more secure than asking security questions to authenticate users in a system. This is because security questions often relate to personal information that is freely available on online and easy for attackers to find, particularly on social media.

Using 2FA instead means that anyone who logs in to your system will need to provide something else to verify that they are who they say they are. This could be a one-time password or code sent to their phone, for example.

Using 2FA to secure your business

4. Set a password blacklist 

Simple passwords such as Password! or Welcome1 are easy for attackers to guess.  Attackers often use databases of common passwords when they’re trying to gain access to accounts.

If you manage your own network, set up your system so it won’t accept common passwords. You can configure your system to only accept long, strong passwords instead.

If you manage your network on a cloud service, circulate a blacklist of common passwords that staff should avoid using.

Some staff may worry about remembering their passwords, so encourage them to use a password manager. A password manager is an app that stores and protects your passwords. The only login details they’ll need to remember is for the password manager itself.

Keep your data safe with a password manager

If you need to help to configure your system to meet these requirements, talk to your IT service provider. They’ll be able to make the necessary changes for you.

Visit CERT NZ for more information. 
Visit ACSC for more information.