It looks like you have JavaScript disabled. Some parts of the site might not work properly or look right. Please consider enabling JavaScript for this site.
If you don't know how to enable JavaScript, click here.

news

All news

Authentication Best Practice

Read More

We've all been there, tried to access a site which we've signed up for before, and not being able to remember the password. It leads to going through the Authentication steps to recover your account, or just not being able to gain access. This article will cover some of the best practices on how to create and remember a strong password, things not to do, and also some advice which goes beyond just setting a good password.

To start with, why do we need to follow good password practices? Well this is a simple one word answer, security. There is a good reason businesses try to stay up-to-date with the latest security technology, and its to keep their information safe, whether its the latest anti-virus/firewall software to try and prevent access, or developing a solid password management system.

What are the most common practices of poor password management?


  • Creating easy to guess passwords
  • Writing down all your passwords on paper or in a word document
  • Sharing your password with colleagues
  • Using the same password for everything

What can we do to tackle these common issues?

Create and design a password policy

From a business perspective, this can usually be done at the server level. You can apply a set of rules that each user must follow when setting a new password. This is usually something along the lines of, "The password has to have at least 8 characters, with a mix of lower and upper case characters, and also, it must contain a mixture of letters, numbers and symbols." This will help rule out commonly used passwords such as, the word password.

Get a Password Manager

In my opinion, the most frustrating example of poor password management, is writing down all your passwords on a notepad or a word document. I get it, these days we access dozens of sites which require a secure password to access, each with their own restrictions with most requiring a mixture of letters, numbers and symbols, and a set character length. There are better ways to track your passwords though, and the one i'm recommending is use a password manager, such as Keeper (link below). This is software which stores yours credentials online, and usually comes with a browser add-on which allows to to easily save new passwords there as you go, and also to populate passwords directly from the manager. A password manager will usually be secured with one password which you'll have, and will use 2-step Authentication which basically means you have to verify any attempt from a new device with a code from your phone.

Sharing your password with others

Business moves fast, and can't wait whilst people take annual leave. Their e-mails will need to be covered, and documents stored on their system will need to be shared. I understand this issue, but sharing your password with someone to access your computer is not the best answer. In your absence they would be working with your login details, replying to your e-mails, essentially acting as you, and their mistakes become your mistakes. Additionally, if it's a password that you use for anything else, they in theory now have access to that. Even if you trust the person, a better solution is simply to set up mail forwarding rules to the person covering, and to share any files that'll need updated before you go. In case of an emergency that they need access, the administrator of the system will usually have a way to get on and retrieve the files they need, and at least that way the action is logged.

2 Step Authentication

Most systems will allow something called 2 Step Authentication, which as mentioned above, means you have to verify any attempt to access your account from a new device (or after a certain amount of time) using a code from your phone. This is quite common with e-mail accounts, we always enforce this when setting up google accounts for our customers. This is the final step which ensures, even if someone has retrieved your username and password for said site, you will get a notification on your phone when they try to gain access. If you don't allow it, then they won't get in.

Don't use the same password for everything!

Finally, just don't use the same password for everything, even if it is a really complicated sequence of letters and numbers. The risk behind this, is if someone obtains the one password along with your e-mail address, they can now access everything. The best way to tackle this, as above, is to sign up to a good password management service. If this does not appeal to you, then browsers are good at storing passwords these days, the downside being if you need to swap machines down the line its not always easy to transfer them across, although some attempts at portability have been made (notably with Chrome)

What can we do for you?

Having been in the IT field for over 10 years, we have encountered many examples of both good and bad password management. If you want us to review your systems from a password/security perspective and enforce good practice then we can do that. Similarly if you'd just like advice on potential improvements, then we can do that too.

Want to know more, get in touch via the "Write to Author" button at the top of this page.

Resources

Recommended password management tool
https://keepersecurity.com/




🔗