Estimated Reading Time: 4 minutes
I see many small and medium businesses forcing employees to regularly change passwords, believing it improves security. In reality, it often leads to weaker password habits, like using predictable patterns or writing passwords down. Instead, following the latest guidance from the UK’s National Cyber Security Centre (NCSC) can enhance security without unnecessary complexity.
How to Protect Against Password Attacks
To prevent brute-force password guessing, businesses should implement at least one of the following security measures:
-
Multi-Factor Authentication (MFA): Adding an extra verification step beyond just a password significantly reduces the risk of unauthorised access.
-
Throttling login attempts: Limit the number of failed login attempts per minute. A good rule is to allow no more than 10 failed attempts within 5 minutes before introducing increasing wait times.
-
Account Lockouts: Automatically lock accounts after 10 failed login attempts, requiring verification before unlocking.
Recommended Password Quality Standards
Businesses should enforce strong password creation policies by choosing one of the following:
-
Require a minimum password length of 8 characters if multi-factor authentication is enabled.
-
Require a minimum password length of 12 characters, without imposing a maximum length.
-
Require a minimum password length of 8 characters with no maximum length, while also blocking commonly used passwords via a deny list.
How to Help Employees Create Secure Passwords
To prevent employees from using weak or guessable passwords, businesses should take the following steps:
-
Educate staff on avoiding common passwords (e.g., pet names, birthdates, common phrases).
-
Encourage passphrases using at least three random words (e.g., "CoffeeTreeLaptop").
-
Provide password managers so employees don’t need to remember complex passwords.
-
Avoid enforcing password complexity rules that require special characters (e.g., "P@ssw0rd!"), as this often results in predictable patterns.
-
Do not require regular password changes, except when there is a known security breach.
Handling Compromised Passwords
If a password is suspected to be compromised, employees should change it immediately. Businesses should have a clear incident response plan in place to manage compromised accounts.
Frequently Asked Questions (FAQs)
Q: Why is regular password expiration a bad practice?
A: Regular forced password changes often lead to employees using weak, predictable variations (e.g., "Password1" → "Password2"). Instead, focus on long, strong passwords and use multi-factor authentication for added security.
Q: How can I check if my business passwords have been leaked?
A: I recommend using tools like Have I Been Pwned to check if your company’s email accounts have appeared in known data breaches. If found, reset the compromised passwords immediately.
Q: Should businesses enforce complex passwords with symbols and numbers?
A: Not necessarily. Complexity requirements often result in employees creating predictable passwords (e.g., "P@ssw0rd1!"). Instead, longer passphrases (e.g., "BlueBananaWindow") are easier to remember and more secure.
Q: Is it safe to use a password manager?
A: Absolutely! Password managers encrypt stored passwords and help users create unique, strong passwords for every account. This eliminates the need to memorise or reuse passwords.
Q: What’s the best way to protect business accounts?
A: I always recommend combining long, unique passwords, multi-factor authentication, and password managers. Also, ensure your team is trained on phishing awareness to prevent credentials from being stolen.
Protect Your Business with Secure Password Practices
Cyber threats continue to evolve, and weak passwords remain a major risk. At Telanova, we help businesses in Berkshire, Ascot, Bracknell, and Wokingham implement the latest password security best practices, ensuring compliance with UK’s NCSC guidance. Strengthen your security, reduce cyber risks, and protect your data today! Call us on 01344 567 990
