It’s not difficult for anyone to grasp why it’s so important to protect our most valuable information. This goes for personal information as well as company data.

One basic step for protecting your data is to have a robust password procedure.

So why is it that the majority of businesses (and individuals) are so lax about password practices?

Password worst practice

Perhaps it’s not clear just what poor password practices are. These are the worst types of password practice that we’ve come across in businesses:

  • Reusing the same password over and over again
  • Using simple passwords such as ‘password’ or ‘123456’
  • Sharing passwords amongst colleagues
  • Writing passwords on a piece of paper and leaving it in view on the desk
  • Sharing passwords with non-colleagues

Password Policy

To include a Password Policy in the employee handbook sets out the rules and demonstrates password best practice to employees.  It also highlights the importance of and their responsibility to IT security.

Your password policy should include the following:

Complex passwords – Employees should create passwords that are at least eight characters long, include a combination of upper and lower case letters, numbers and punctuation marks or special characters.

Unique passwords – Employees should choose passwords that are unique and only make sense to them. Common words, phrases or names should not be used or passwords that would be easy to ‘crack’ such as p4ssw0rd! The passwords created must be different from passwords that might be created for their own personal use.

Change passwords regularly – Employees should change passwords on a regular basis. The frequency to be determined by the sensitivity of the information being accesses.

Password security – If it’s suspected that an unauthorised person has logged in or gained access to a computer or account, the password should be changed immediately.

Change default passwords – Any passwords that are created by the IT department for a new starter should be changed by the employee as soon as possible.

Password protection – Passwords should not be shared between employees or with anyone outside of the company. Passwords should not be written down and left on the desk or stuck to the computer.

Password scams – Be aware of phishing scams and attempts by criminals to obtain sensitive information.

How can businesses help employees to protect their data?

Password policies can be implemented on domain networks and managed centrally at the server, or for those without servers on each workstation. These policies can affect various settings such as how often a password should be changed, should they comply with complexity rules and account lockout periods should an incorrect password be entered a certain amounts of times. This will prevent unauthorised access to your workstation and protect your company data and other network resources.

There are a number of password management software packages that can be installed to make it easier for your staff to manage their passwords and comply with the password policy.

Training on cyber security helps employees understand the importance that passwords play in the protection of data. Demonstrating how accounts have been hacked and the implications to businesses and individuals will drive the message home.

Explain how phishing scams work and make your employees aware of the types of questions to look out for should they speak to an unscrupulous person on the phone, who is trying to draw classified information from them.

If you would like us to review your password procedures or wider security of your network, which includes anti-virus software, please call us on 01737 824003 or email