Choose passwords that would be difficult for others to guess and then don’t update them regularly. A strong password should contain a mix of upper and lower case letters, numbers and symbols.
If you choose strong passwords, then so long as they’re not compromised there is no need to change them. This approach works best when used with a password manager.
Use a password manager like LastPass or RoboForm to simplify the management and administration of passwords. Both LastPass and Roboform have a free product offering which is quite capable.
Making password management a chore is a guaranteed way to encourage staff to take shortcuts with passwords and potentially use the same password over and over, or write them down. Don’t make password management any more of a hassle than it needs to be.
Use a different password for every account/profile – that way if a password is compromised only one account / profile / service is affected – not all.
Don’t share your passwords with anyone.
Two factor authentication (2FA)
- With the increasing use of Cloud Service Providers, two factor authentication provides protection against compromise of your security, in the event that a user’s password becomes known by a scammer.
- How 2FA works, is that anytime a service is accessed from an unknown (or new) device for the first time. A challenge / alert is sent to a known device (typically a user’s mobile phone).
- This way if a password to an account becomes compromised, the user is alerted by the challenge / alert on their mobile phone – which prevents their account from being accessed even though their password has been compromised.
- The user can then reset their password.
Failed login attempt monitoring
- Many Windows applications are susceptible to brute-force password hacking attempts (i.e. trying to identify the user’s password by repeatedly attempting to authenticate with different passwords).
- However applications that use a Web portal for authentication frequently do not lock out a user account after a certain number of failed login attempts.
- For your on-premise servers, implement failed login attempt monitoring to address this security risk.