Managing passwords and authentication in your business

Given that most – if not all – of your staff need to access your network to do their jobs, it’s important to have a robust password management process in place to keep their user accounts safe and your business systems secure.

Passwords

Staff logins are a particular point of vulnerability in any operation, and effective password management is an important step in making these access points less vulnerable.  A good place to begin is to ensure that your staff use unique, long and strong passwords that are not based on personal information for all their logins.

Creating good passwords

Default credentials

One aspect of password management that can be easily overlooked involves default credentials.

It’s worth checking that, in the excitement of installing your newly-purchased software or device, you didn’t forget to change the password that came with the box. These default login details are published online, so make easy targets for attackers.

Password managers

Once you’re confident your staff are using strong passwords, the next step in strengthening your business’ cyber security is to get them to store their passwords in a password manager.

Password managers are an easy and secure way for everyone in your business to keep track of their passwords. It’s like an online safe that only you have the key to, and the beauty of it is that you only need to remember the one master password and it’ll do the rest!

There are three categories of passwords managers, those that:

  • store your passwords in the cloud
  • store your passwords on your computer’s local drive
  • come with your browser

Each type of password manager has its pros and cons, and it’s usually a pay-off between security and usability. In thinking about where your passwords will be stored, you should consider your ability to protect a password manager on your computer, and the sensitivity of the passwords you have. This will help you determine which option will work best for your operation. 

Cloud-based password managers:

  • Store your passwords in the cloud, meaning they can be accessed from multiple devices. This is a real advantage if you do a lot of work on your laptop and mobile phone. But, it means you need to be careful where you access it – only access on trusted devices and browsers.
  • Often allow you to share specific passwords when necessary. This can be useful if there are accounts – such those for social media – that several staff members need access to.
  • May also offer the option for your staff to create their own ‘safe’ within the password manager, and store their personal passwords in them.
  • Tend to offer a range of other optional add-ons.

Local drive-based managers:

  • Store your passwords on your computer’s local drive. This means an attacker could only access them if they managed to get access to your computer – if you left it unattended and unlocked, for example, or if they managed to work out your computer password.  
  • Can be a good option if you have a lot of financial trading or bank account passwords.
  • Rely on regular back-ups being made to your computer to keep the passwords secure. 
  • Means your staff can’t access them from home or on a mobile device, so it’s less useful if you offer flexible working.

Browser-based password managers:

  • Are built-in to your browser, such Internet Explorer or Chrome.
  • Are easy to use – a message just pops up when you log in to a website asking if you want the browser to save your password.
  • Don’t have the same level of encryption, security or features as other cloud or locally-based password managers.
  • Store your passwords locally on your computer (unless your browser is synced to your other devices, in which case the passwords can be accessed from them as well).
  • As with local drive-based password managers, an attacker could only access your browser-based passwords if they managed to get access to your computer – if you left it unattended and unlocked, for example, or if they managed to work out your master password.

Once you’ve worked out which type of password manager will best protect your business systems and suit the way you and your staff work, then you’ll need to shop around to find which product is going to suit you in terms of other features and cost.

We highly recommend securing your password manager by using two-factor authentication.

Two-factor authentication for business

Password policies

Having a password policy in place not only makes it easy for everyone in the business to understand how to manage their passwords, it also explains the role their password management has in protecting your business systems.

Create a password policy for your business

Visit CERT NZ for more information. 
Visit ACSC for more information.