Maori

Password Protocol & Control

Passwords are the most common way for your organisation and the people in it to prove identity when banking, making purchases and other transactional online activities, accessing services, using email and accessing computers themselves (via User Accounts). The use of strong passwords and their secrecy is therefore vital in order to protect the organisation’s and individuals’ security and identity. The best security in the world is useless if a malicious or other unauthorised person has a legitimate user name and password. However, the generation and use of passwords can be a complex issue – and there are not hard and fast rules which necessarily apply across different business scenarios.

For this reason, password protocol and control should be a key part of your organisation’s cyber and information security strategy.

Passwords are commonly used in conjunction with usernames. However, on secure sites they may also be used alongside other methods of identification such as a separate PIN and/or memorable information or characters generated by an electronic token or keypad (called multi-factor authentication). In some cases, websites request entry of only certain password characters for additional security.

The risks of using weak passwords and not having a separate password for email accounts

People impersonating your company or employees to commit fraud and other crimes, including:

  • Accessing your bank and other online accounts.
  • Purchasing items online in your business’ name.
  • Impersonating your business or employees on social networking platforms.
  • Sending emails in your business or employees’ name
  • Accessing data held on your network.
  • Hacking into your website.

Choosing the best passwords

Do:

  • Always use a password.
  • Use a strong, separate password for your email account.
  • To create a strong password, simply choose three random words, with the addition of numbers, symbols and combinations of upper and lower case characters. Make the password at least 12 characters.
  • There are alternatives, with no hard and fast rules, but you could consider the following suggestions:
    • Choose a password with at least eight characters (more if you can, as longer passwords are harder for criminals to guess or break), a combination of upper and lower case letters, numbers and keyboard symbols such as @ # $ % ^ & * ( ) _ +. (for example SP1D3Rm@n – a variation of spiderman, with letters, numbers, upper and lower case). However, be aware that some of these punctuation marks may be difficult to enter on foreign keyboards. Also remember that changing letters to numbers (for example E to 3 and i to 1) are techniques well-known to criminals.
    • A line of a song that other people would not associate with you.
    • Someone else’s mother’s maiden name (not your own mother’s maiden name).
    • Pick a phrase known to you, for example ‘Tramps like us, baby we were born to run'” and take the first character from each word to get ‘tlu,bwwbtr’

Don’t:

  • Use the following as passwords:
    • Usernames, actual names or business name.
    • Family members’ or pets’ names.
    • Own or family birthdays.
    • Favourite football or F1 team or other words easy to work out with a little background knowledge.
    • The word ‘password’.
    • Numerical sequences.
    • A single commonplace dictionary word, which could be cracked by common hacking programs.
    • When choosing numerical passcodes or PINs, do not use ascending or descending numbers (for example 4321 or 12345), duplicated numbers (such as 1111) or easily recognisable keypad patterns (such as 14789 or 2580).

Looking After Your Passwords

  • Never disclose your passwords to anyone else. If you think that someone else knows your password, change it immediately.
  • Don’t enter your password when others can see what you are typing.
  • Use a different password for every website. If you have only one password, a criminal simply has to break it to gain access to everything.
  • Don’t recycle passwords (for example password2, password3).
  • The routine changing of passwords is not recommended, unless the accounts to which they apply have been compromised, in which case they should be changed immediately. This also applies if another account or website for which you use the same login details have been hacked.
  • If you must write passwords down in order to remember them, make sure they are meaningless to, and unusable by other people by writing them in code (substituting the characters in your password with others that you can remember, or easily work out).
  • An alternative to writing down passwords is to use an online password vault or safe. Seek recommendations, and ensure the one you choose is secure and reputable.
  • Do not send your password by email. No reputable firm will ask you to do this.

The fact that you should use different passwords for each of your accounts can make them very difficult to remember. Consider using one of the many password vaults available on the internet, but read reviews and get recommendations.

Password Vaults/Safes

There are a number of password vaults (otherwise known as password safes or perhaps another term) available for your use – some paid for, some free of charge. These enable you to store all of your company’s passwords in one, easy-to-access location so that you do not need to remember them all, or write them down. You merely need to remember one set of login details.

You should read reviews or get recommendations before entering passwords into a password vault. Whichever you choose, our recommendation is that it features two-factor authentication (2FA) – in other words, it sends a code to a nominated mobile phone or other device, which is required in order to gain access, much like when confirming an online bank payment.

For additional security, we recommend that passwords are encrypted prior to being entered into the vault and stored within your own internal network. By segregating the encrypted passwords and encryption keys in this way, they will be less susceptible to compromise should the vault suffer a data breach.

Controlling user accounts

Everybody who uses a computer should be assigned their own user account so that only they can access their files and programs. Each user account should be accessible only by entering a username and password in order to safeguard users’ privacy. Other user account features can also be set up in user accounts (Windows Vista, and Windows 8 only).

Do not use an account with ‘administrator’ privileges for everyday use, as malware could assume administrator rights. Even if you are the only user, set up an administrator account to use when you need to carry out tasks such as installing programs or changing the system configuration, and another ‘standard user’ account as your regular account. If you are not logged in as administrator, you will be prompted to enter an administrator password when you install a new device driver or program. You can manage user accounts in Windows Control Panel.

Hunt the Password from Get Safe Online on Vimeo.

 

Jargon Buster

A Glossary of terms used in this article:

Privileged user access

Access rights to computers or data – normally varying between users according to what they are and are not entitled to see.

PIN

Personal Identification Number.

Encrypted

The process of converting data into cipher text (a type of code) to prevent it from being understood by an unauthorised party.