Home Page Navigation Contents Contact Sitemap Search

Pass­word guide­lines for SME

Com­puter system and net­work secu­rity are cru­cially depen­dent on han­dling pass­words cor­rectly. The imple­men­ta­tion of pass­word guide­lines or a pass­word policy reg­u­lates cre­ation, safe­keeping and usage of pass­words in an organisation.

The most impor­tant points to remember:

  • Draw up a list of all pass­word-pro­tected system and appli­ca­tion access options in your organisation.
  • Estab­lish a pass­word policy for all system and appli­ca­tion access options iden­ti­fied, stating your require­ments for the cre­ation, safe­keeping and usage of all passwords.
  • You should under­take peri­odic checks for strict adher­ence to your pass­word policy.
  • Sen­si­tise all your employees to the dan­gers posed by improper pass­word use.

Why is a pass­word policy necessary?

The com­bi­na­tion of a user name with a pass­word is still the most widely used method of authen­tifi­ca­tion and autho­ri­sa­tion in any dig­ital oper­ating envi­ron­ment. For instance, this serves to con­firm a user’s iden­tity and to imple­ment access pro­tec­tion when accessing net­works, log­ging into com­puter sys­tems or using third-party ser­vices and appli­ca­tions. User names and pass­words there­fore play a cen­tral role in cyber security.

It is not sur­prising then that cyber-crim­i­nals do their utmost to obtain this much sought-after infor­ma­tion by means of hacking, phishing or social engi­neering and to then take on the dig­ital iden­tity of their victim this way.

Users how­ever are so familiar with the use of pass­words that they quite fre­quently are not suf­fi­ciently aware of the risks involved. In an organ­i­sa­tional envi­ron­ment in par­tic­ular, a clear pass­word policy pro­viding users with clear instruc­tions and pro­tecting them from errors in this regard is there­fore vital.

What is a pass­word policy, and how do you create an effec­tive one?

A pass­word policy is defined as a set of rules drawn up to increase cyber secu­rity by encour­aging employees to create secure pass­words, to store them safely and to use them prop­erly. A pass­word policy is part of the offi­cial rules of an orga­ni­za­tion and should be part of any secu­rity aware­ness training programs.

It should be cus­tomized in accor­dance with the needs (of the com­plete system envi­ron­ment) and require­ments (on a secu­rity level) of any orga­ni­za­tion so to ensure you achieve optimum effec­tive­ness with rea­son­able effort. A first step should there­fore con­sist of drawing up a list of all pass­word-pro­tected sys­tems and appli­ca­tion access options in an organ­i­sa­tion and to assess the pro­tec­tion levels required. All access options thus iden­ti­fied will then have to be con­sid­ered when drawing up suit­able rules inside a pass­word policy.

To be able to cope with the ever-changing threat sit­u­a­tion, the pass­word policy should be sub­ject to peri­od­ical checks for con­tinued rel­e­vance and effectiveness.

Which are the most impor­tant aspects of a pass­word policy?

A pass­word policy exten­sively reg­u­lates how pass­words are han­dled inside an orga­ni­za­tion. It pro­vides users with spe­cific instruc­tions and covers the following:

1. Use of passwords

As men­tioned above, it is often already suf­fi­cient to know a pass­word to com­pletely take on someone’s dig­ital iden­tity. You should gen­er­ally there­fore take all mea­sures nec­es­sary to pre­vent any fraud­u­lent use of this information.

Pass­words are there­fore strictly pri­vate and must be treated con­fi­den­tially. Below some points to be par­tic­u­larly aware of:

  1. Pass­words must nei­ther be passed on actively nor shared nor stored in a place open to the public.
  2. Pass­words must always be stored and trans­mitted in encrypted form.
  3. When entering pass­words, make sure that this process cannot be over­looked by third parties.

A pass­word policy estab­lishes guide­lines on the use of pass­words by way of a directive.

2. Pass­word strength

The strength of a pass­word is a mea­sure of how dif­fi­cult it will be for an attacker to dis­cover a pass­word unknown to them by simple guess­work or trial and error. The more unpre­dictable and com­plex and the longer a chosen pass­word is, the stronger and hence more secure it is.

A good pass­word policy empha­sizes the cre­ation of strong pass­words by requiring users to make their pass­words longer and less pre­dictable (see our instruc­tions on “Secure pass­words”).

In addi­tion, the cre­ation of strong pass­words should be sup­ported by pro­viding tech­nical tools, such as pass­word man­agers and stip­u­lated in the pass­word policy.

3. Pass­word expiry

It is very simple to transfer pass­words – some­thing which over time can also result in them ending up in the wrong hands. Employees for instance some­times pass on pass­words to third par­ties without thinking or note them down in unpro­tected places. User pass­words can also be dis­closed unin­ten­tion­ally though as a result of data breaches. It is gen­er­ally impos­sible to reclaim any leaked data.

In any such cases, changing pass­words is the only effec­tive mea­sure to restore cyber secu­rity since this will render any leaked infor­ma­tion useless.

The renewal and admin­is­tra­tion of pass­words should be arranged for with the help of tech­nical tools, such as making sup­port from a pass­word man­ager utility available.

4. Pass­word history

Users tend to reduce the number of pass­words they have to remember, for instance by reusing pass­words they have used in the past. Cyber crim­i­nals exploit that kind of behav­iour by reg­u­larly using lists with old pass­words when car­rying out their attacks. To make this impos­sible, users should be pre­vented from reac­ti­vating old passwords.

A pass­word policy will ensure that sys­tems keep track of a user’s pass­word his­tory and check for reuse of old pass­words when these are changed.

5. Pass­word changes

Users should be able to change their pass­words at any time and by them­selves. How­ever, you will need to ensure that such pass­word changes are exclu­sively ini­ti­ated by legit­i­mate owners and not by attackers.

A pass­word policy estab­lishes the tech­nical and organ­i­sa­tional frame­work con­di­tions pro­viding for secure pass­word changes. The intro­duc­tion of two factor authen­tifi­ca­tion for instance can render the process of changing pass­words con­sid­er­ably more secure.

Pass­words are still the most widely used secu­rity com­po­nent of access pro­tec­tion in a dig­ital envi­ron­ment. It is not sur­prising then that cyber-crim­i­nals do their utmost to obtain this much sought-after infor­ma­tion by means of hacking, phishing or social engi­neering.

Pass­word guide­lines (or a “pass­word policy”) ensure clarity and cer­tainty when han­dling passwords!

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic course

Find out about cur­rent Internet threats and some easy pro­tec­tive mea­sures, and how to securely use e-banking.

fur­ther information

Online course mobile banking/payments

Find out about mobile banking, mobile pay­ments and how to securely use these apps.

fur­ther information

Online course for the under-30s

Learn how to use your smart­phone securely. Next to basics, we will show you what you should know about social media, clouds, mobile banking and mobile payments.

fur­ther information

Course for SMEs

Is your organ­i­sa­tion suf­fi­ciently secure? Learn which mea­sures you can take to sig­nif­i­cantly strengthen your organisation’s IT security.

fur­ther information