May 1 is World Password Day, a day for organizations to remind their employees of the importance of using strong passwords and practicing good password hygiene to protect personal and work accounts. It's a time for organizations to focus their information security training and awareness program on educating employees on how to increase the security of their accounts in two steps—creating long, unique passwords and enabling multifactor authentication.
Step 1: Train employees to use long, unique passwords for all accounts. Teach employees to use long passphrases: at least five words containing at least 15 characters. Passphrases are easier to memorize—and type—than a long string of random characters. Help employees understand that reusing passwords is risky—if criminals figure out an employee's password for one account, they could use it to try to access the employee's other accounts.
Step 2: Educate employees to enable multifactor authenticator (MFA). MFA requires a user to provide two or more methods of identification in order to validate their identity at login. Encourage employees to follow organizational best practice by enabling MFA to protect all their accounts—both personal and work-related—and prevent takeover attempts, including instructing them on the ways cyber criminals can intercept phone calls or text message MFA notifications. Encourage employees to use an authenticator app, which is linked to the mobile device rather than the mobile account. This ensures that if criminals take over the account, app-based prompts will continue to be routed to the original device.
- Instruct employees to be cautious of unexpected MFA prompts. An unexpected MFA prompt could indicate that a criminal is trying to sign into an account using a stolen password. By denying the request, the employee prevents the crime from progressing. Train employees to reject unexpected prompts, change the account password, and immediately report the attempt.
It's also important for organizations to train their employees to implement additional security steps to further protect their accounts:
- Use a password manager to manage passwords. Password managers generate and save long, unique passwords, removing the need to remember them and lowering the possibility of password reuse. Having a dedicated organizational subscription to a password manager enables employees to securely share passwords with colleagues; employees can store passwords for personal accounts in a separate password manager.
- Be cautious of sharing personal information online. Sharing too much could allow a hacker to socially engineer an employee by guessing passwords or sending targeted phishing emails. Help employees understand the risks of online exposure; the more they post about themselves, the easier it is for hackers to target their personal and work accounts.
- Refrain from using legitimate answers for security questions. Security questions are often used to verify an account owner's identity and allow account updates and changes. Answers to many security questions can be found online, which criminals can exploit to access accounts. It's better to use random information instead of genuine answers to help prevent criminals from inserting the real answers to sign into accounts or change passwords—locking the employee out of their accounts. Answers can be stored in the notes section of a password manager.
World Password Day is a reminder for organizations to help employees implement two simple but important steps—using long, unique passwords and maintaining good password hygiene—that will help keep their work and personal accounts more secure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
