Data Security Advice: Why You Need a Strong Password Policy

Customers fear privacy leaks. In the U.S., 74% of internet users worry about their online privacy more than ever before.

Enforcing a strong password policy and encouraging secure passwords are important for data security in such a high-risk environment.

With most of your personal information and private communication being stored online, you need a strong password policy to address cybersecurity risks.

Here’s what you’ll learn:

What is a Strong Password Policy?

Importance of Password Security

Secure Password Guidelines

Password Policy — Essentials

Password Security Best Practices

Final Thoughts  —   Importance and Best Practices of a Strong Password Policy

What is a Strong Password Policy?

A strong password policy is an organization’s first line of defense against intruders. It refers to a set of rules you enforce to improve security. These rules encourage users to create strong passwords and store them properly.

Password policies detail:

  • How passwords should be stored
  • When to update passwords
  • How to use passwords

Organizations often enact a strong password policy as part of their security awareness training.

Importance of Password Security

Businesses should never underscore the importance of password security. They need to protect their users and their information against common security breaches.

An organization’s passwords are as strong as its password policy, so enforcing a strong password policy goes a long way in maintaining a baseline security level.

Here are some scenarios that illustrate the importance of password security.

1. Network Security.

Weak passwords make it easy for cybercriminals to enter your infrastructure.

The 2020 pandemic saw the shift to remote work, bringing an increase in cyberattacks. At the height of the pandemic, the FBI reported a 300% increase in reported cybercrimes.

In 2021, 36 billion company records were exposed — 61% were caused by stolen or compromised user credentials.

You can prevent these password attacks by having a strong password policy.

For example, it would be difficult for cybercriminals to perform a brute force attack – a cyberattack wherein they break into your account by decrypting passwords using powerful computing machines and trying all combinations — if you have a strong password.

2. Accountability.

A strong password policy includes guidelines for user authentication.

Technologies like one-time passwords, smart cards and biometrics add layers of security and let system administrators and technicians track the activity on company or customer systems.

3. Detection of Password Sharing or Reuse.

With high password security, you can detect if the users accessing their accounts are the same users who signed up or are sharing passwords and using each others’ accounts.

Secure Password Guidelines

Guidelines for a strong password policy

Now that you know the importance of password security let’s delve into the characteristics of a strong or complex password.

The U.S. National Institute of Standards and Technology (NIST) released Digital Identity Guidelines organizations can implement for a strong password policy. The NIST recommends these guidelines when creating a secure password:

Password Complexity

While enforcing a strong password policy, you need to set requirements that prevent users from creating weak passwords. You can do so by increasing your password complexity by requiring:

  • Numbers
  • Uppercase letters
  • Lowercase letters
  • Special characters

Password Length

A long password is a strong password as each additional character means more variations — making it harder for brute force attacks to break through.

For a strong password policy, you must generate longer passwords. It complements password complexity.

The NIST encourages users to choose long passwords or passphrases of up to 64 characters (including spaces).

Other studies have also shown that password length was a primary factor of password strength.

Password Policy — Essentials

For a strong password policy, you need to cover the following security essentials.

1. Set a Minimum Password Length.

Require a minimum password length of eight characters, including at least one uppercase, lowercase, number and special character.

Recommend using a passphrase (minimum of 15 characters).

2. Set a Minimum and Maximum Password Age.

Password age is the time (in days) you can use a password for.

Setting a minimum and maximum password age can stop users from changing passwords too often and using expired passwords correspondingly.

Windows recommends a minimum password age of one day, while others recommend anywhere between three to seven days.

The NIST guidelines previously recommended password changes every 90 days (180 days for passphrases). The latest NIST recommendation is to create a new password when user accounts are potentially threatened or suspected of unauthorized access.

Avoid setting the minimum password age to 0 days (enabling immediate password changes) as some users might change their minds and revert to their old passwords, compromising network security.

3. Enable Multi-factor Authentication.

Multi-factor authentication (MFA) is used to verify a user, application or device by presenting several identifiers.

It provides an extra layer of security by requiring users to verify using an email or a phone number to access their account, reducing the likelihood of cyberattacks.

4. Restrict Password Reuse.

A recycling sign with a caption that says, “Passwords are non-recyclable material.”

Recycling is good for the environment but not for data protection.

Although most users understand that simple passwords pose a security risk, 40% of people still reuse passwords because creating a complex password takes time and effort. They find it difficult to remember a strong password.

Enforce a password history requirement to limit the use of previous passwords. Storing five to ten previous passwords will stop the reuse of favorite passwords.

5. Restrict Failed Login Attempts.

For a strong password policy and network security, you must restrict the number of failed login attempts.

Plugins like Login LockDown record the IP address and timestamp of every failed login attempt. If the number of failed attempts from the same IP range exceeds the set point, it locks down the login function.

Password Security Best Practices

  1. Never share your password with others.
  2. Use different passwords for each account.
  3. Use a password manager.
  4. Don’t log in from public computers.
  5. Check whether your passwords have been compromised.
  6. Create a secure password.

As cybercrime techniques continually evolve, it’s essential to update your education and awareness campaigns. Continuously educate both employees and customers with these password policy best practices:

1. Never Share Your Password with Others.

You would never share your ATM pin or credit card security code with anyone, so why would you do the same to your password?

Your login credentials protect information as important as the money in your bank account. If you encounter someone asking for your password, it’s a scam. Report it to IT support in your company and don’t share your password.

2. Use Different Passwords for Each Account.

You use different keys for your house, car or mailbox. The same should be true for your online accounts.

If a hacker obtains your password, they’ll first check whether that password works for other websites. By using different passwords for each account, hackers won’t be able to access other accounts when they hack into one.

3. Use a Password Manager.

Icons of popular password managers OneLogin, 1Password, Dashlane, LastPass and RoboForm.

Google shares that 75% of users find it difficult to manage their passwords; thus, they resort to common passwords.

Password managers can resolve that. They encourage complex passwords while eliminating the need to remember them as they store passwords and even generate unique, complicated passwords for you. 

Popular password managers include LastPass, Dashlane, OneLogin, RoboForm, KeePass and 1Password.

4. Don’t Login from Public Computers.

Meme that says “when you realize you didn't log out of your school account on a public computer.”

Using public computers poses a security risk. You don’t know if the owner or previous user installed malware or other malicious software to steal your password.

Someone can also look over your shoulder to view your password. Or you might forget to log out of the computer — leaving your login credentials — letting the next visitor log into your account.

Whether your employees are using a public computer or not, remind users and employees to log out of their accounts after use.

5. Check Whether Your Passwords Have Been Compromised.

Web browser extensions like Mozilla’s Firefox Monitor and Google’s Password Checkup can show you your email addresses and passwords that have been compromised in a data breach.

6. Create a Secure Password.

Follow the best practices for creating a strong password, such as:

  • Passwords must be at least 8 characters.
  • Passwords must contain a mix of different characters — uppercase, lowercase, numbers and special characters.
  • Your password must not contain personal information.
  • Do not reuse old passwords.

Final Thoughts: Best Practices for a Strong Password Policy

With cyberattacks happening left and right, you cannot ignore the importance of password security.

It’s your responsibility to keep your customers and their data safe. One way to do so is by creating and enforcing a strong password policy.

Follow @Bluehost for more website security tips.

Machielle Thomas
Machielle Thomas | Content Manager
Machielle Thomas writes and curates web and email content for marketing professionals, small business owners, bloggers, and more.

Leave a comment

Your email address will not be published. Required fields are marked*