One of the most important things any organization can do to keep themselves digitally safe is to address the topic of passwords. Aside from phishing emails sent to employees, compromised login information is one of the biggest and widely used attacks on digital safety. This is especially true when passwords to systems are “shared” passwords where multiple people use the same login information to access a system.
Thankfully, using passwords effectively doesn’t have to be a major ordeal for you or your employees. Using the following methods, you can improve your password safety individually or for all of your employees.
- If you can generate individual accounts in a system, do so. For a huge number of reasons, individual logins are much more secure than shared logins. You can track employee use, reset individual passwords without impacting others, lock a person out if needed, or implement individual access policies. If the system doesn’t allow for individual logins, find out why and push the provider to enable it, or find a new provider.
- Enforce 2-factor authentication if possible for all users, and if not encourage the system provider to add it. Just make sure that a system administrator can disable the feature for an individual user if needed should a device be destroyed or the employee departs on the not-so-best of terms.
- Utilize password complexity and change policies on your systems. I’ve seen a wide variety of different opinions and recommendations here, but it comes down to the risk the system has (such as core database versus corporate training system) and helping train employees on creating complex passwords that are memorable.
- If an individual employee is creating an account in a system not managed by you (such as a company social media account), make sure that employee shares that password with a designated person in the organization to minimize risk of loss of access to that system. A business-class password manager is a great option here – more on that in a minute.
- Develop an employee policy surrounding passwords that states the expectations in the employee handbook. As we all know something like this is difficult to enforce, but having nothing leaves your employees guessing about the expectation. General recommendations are not sharing passwords for individual accounts, not reusing the same passwords in multiple systems, and not using passwords from home on work systems. Complexity and length requirements are also good to have.
- Develop a place to store passwords that are used by more than one person, generally on systems you don’t manage such as local system administrator accounts, organizational social media accounts, tax accounts with the state or local systems, and similar types of systems. You don’t want to be in trouble down the road if that employee is the only one with access to those systems and leaves the organization.
In relation to password managers, many leaders have concerns about these, and rightfully so. You are, so to speak, putting your eggs in one basket. With that said, by not having a place to put passwords, you are leaving your employees to figure it out for themselves. They might use an excel file, tape them to the palmrest of their laptop, put them in a notebook, a piece of paper in their desk, or any other number of options. Having a password manager in place and requiring employees use it reduces the risk that your passwords will end up where they shouldn’t be. While personal password managers are great, business-level password managers add features where passwords can be shared with the right people without texting or emailing (the password stays within the password system), password changes are instantly available to employees, the system helps employees generate strong passwords, you can view password complexities without seeing the passwords, and much more. The value of the business password manager far outweighs the risks of it being compromised.
If you need help developing or implementing a password plan or policy, or would like to explore a larger in-depth review of your digital security practices, LeadershipOne Technologies can help you walk through this process. Contact us to help improve your security practices today!