In today’s digital landscape, businesses are increasingly grappling with the repercussions of cybercrime. Cyberattacks are escalating in frequency, and the resulting damage is growing at an unprecedented rate. Among the most significant vulnerabilities for organizations are their passwords, which serve as the entry point into an account and, consequently, represent the weakest link in their security infrastructure.

The initial step towards safeguarding this vulnerability involves the establishment of robust passwords. The most effective way to ensure this is by implementing a stringent password policy within your team. Here, we explore the key components that should be included in an effective password policy.

Random Passwords of Adequate Length

Your password policy should mandate the use of fully randomized passwords, generated by a password generator rather than a human mind. This is because humans tend to create passwords that are easy to remember, but not necessarily resilient against attacks. Such passwords are susceptible to brute-force attacks, where attackers employ software to “guess” users’ passwords.

However, randomization isn’t the only strategy to create robust passwords. Increasing the length of the password, ideally to 16 characters or more, can also enhance its strength. The rationale behind this is simple: the longer the password, the more effort it takes for hackers to crack it.

The Power of Passphrases

While random passwords are secure, they are notoriously difficult to remember. One solution to this problem is the use of passphrases, which strike a balance between password length and memorability. Passphrases are extended sequences of easily remembered words, such as “mortician profusely decent easeful”. The length of the passphrase makes it difficult to crack, while its simplicity makes it easy to remember. Passphrases are particularly useful for unlocking your password manager, which we will discuss later.

Avoid Password Reuse

An essential component of any password policy is the prohibition of password reuse. Each of your accounts should have a unique password, and old passwords should never be recycled. For every new account you create, you should generate a new, random password.

The rationale behind this is to prevent credential stuffing, a technique where a hacker uses leaked logins from a major breach and tests them on numerous sites. This type of attack is prevalent and has been implicated in high-profile data leaks. By ensuring that you never reuse passwords, you can effectively neutralize this threat.

Multi-Factor Authentication (MFA)

While passwords safeguard your accounts, multi-factor authentication (MFA) can safeguard your passwords. In addition to your password (the first factor), MFA requires a temporary code, typically generated by an app on your phone. To access an account, you need to enter both the password and the code from the MFA app.

Using MFA means that even if somebody unauthorized were to get access to your password, they would also need to have the phone or other device that has your MFA app on it to gain entry to your account. MFA is the best way to defend against phishing attacks. It’s a powerful tool, but sadly underutilized.

Use a Password Manager to Ensure Compliance

Though a good password policy may differ across different teams and companies, these elements are vital to the security of any organization:

  • Random passwords
  • Long passwords
  • Unique passwords
  • MFA

Of course, this brings to mind another issue, namely how you’re going to manage it all. Remembering long, random passwords is practically impossible — that’s their strength, after all — and manually keeping track of them on a piece of paper is not secure.

To make sure your team actually implements your password policy, they’ll need a password manager, a piece of software that can store your passwords for you.

A good password manager will not just store passwords, but also have a built-in password generator to create random passwords of any length whenever you need them. It will also autofill passwords whenever you log in to a site where you have an account, making password managers not just vital to security, but a massive improvement to your digital quality of life.

The best password managers will also alert you when you duplicate passwords across accounts, too, so you don’t fall into the trap of reusing passwords. Rather than have dozens of vulnerabilities, you have only one, and a well-used passphrase can do a great job of protecting that one, too.

Proton Pass and Your Password Policy

My recommendation (this is not a paid article) are products from Proton! They developed Proton Pass as an alternative password manager that does all the above, and then some. Not only can it manage and generate passwords, they also give you the option to generate secure passphrases, in case you need a password that’s easier to remember. It also autosuggests and autofills as you browse, making account admin a lot easier.

Proton Pass also offers your organization security in other forms, like through our hide-my-email aliases, which enter a spoofed email address when creating a new online account, offering an extra layer of anonymity. You can also subscribe to their advanced plans and get access to Proton Sentinel, an advanced program that helps protect against phishing attacks.

Most importantly, though, Proton Pass for Business has MFA support built-in, making it much easier for your team members, and organization as a whole, to adopt this vital security tool. Instead of having to deal with cumbersome apps, all your tools are in the same place. Same security, far less hassle.

Microsoft Intune and Conditional Access

In addition to robust password policies, another layer of security can be added through conditional access like compliant devices using Microsoft Intune. This ensures that only trusted users from compliant devices have access to your business data. By setting up policies in Intune, you can control access to your organization’s resources based on conditions you specify. These conditions could include user risk, device compliance, or the network location from which access is being attempted. This adds an extra layer of security, ensuring that your organization’s data is accessed securely and responsibly.