Due to its simplicity and low cost, the password remains the identification technique most used by companies, especially the smallest ones. However, this system, if it is not administered with rigor, offers a low level of security. According to a Verizon study, 81% of global data breach notifications recorded in 2021 were related to password issues. A good opportunity to recall some principles to respect to create and manage strong passwords in the company.
Design complex passwords
For the National Information Systems Security Agency (Anssi), a good password must be composed of 10 to 12 characters of different types (letters, numbers, special characters, upper and lower case). Of course, to be impossible to guess, the chain of signs thus formed must have no connection with the private life of its user (date of birth, names of children, etc.) and must not be present in a dictionary (in other words , it must not make sense).
In order to manage to create such a password and to remember it, Anssi recommends two methods. The phonetic method “I bought 5 CDs for one hundred euros this afternoon”: ght5CDs%€7am, and the method of the first letters: “The 12 bastards and César and Rosalie are my two favorite films”: L12seCeRsmdfp.
The Cnil offers on its site a password generator based on the technique of the first letter.
Ban unique passwords
Even if it is practical and simpler, it is dangerous to use the same password to manage several accounts. If it were to be discovered, all the applications it allows to open would then be compromised. At a minimum, Anssi recommends choosing a specific password at least for the most sensitive services (professional messaging, access to company networks, online banking services, etc.). As for the systems for memorizing passwords present in particular on Internet browsers, the agency advises against their use, which it considers still not very secure. Of course, the use of the famous “Post-it” sticky note stuck on the desk or the corner of the computer screen is to be avoided.
Change password regularly
No matter how strong, a password is never unbreakable. Therefore, it should be changed regularly to prevent a hacker who managed to discover it without anyone noticing from continuing to access the company’s network or some of its applications. A compromise must be found here between the comfort of users and the necessary security of the company. Depending on the sensitivity of the accesses, the period of validity of a password may thus vary from 3 months to 1 year.
Establish common rules
Password management should not weigh solely on employees, but should be part of a global security policy. Thus, the rules for choosing passwords (password length, type of signs that can be used to compose it, etc.) as well as their lifespan must be the same for everyone. To be accepted and followed and not be considered as useless and time-consuming constraints, the implementation of these rules must be accompanied by a training and communication plan. The idea here is to allow everyone to measure the challenges of computer security in terms of risk. This phase is essential for safety to become a true culture shared by all employees. Ideally, information meetings could be organized to make all employees aware of the interest of ensuring the security of company data, but also to share everyone’s experiences and thus develop solutions at the same time. effective and consensual.
The security of computer systems must be administered centrally like all other high-stakes subjects in the company. The people in charge of it, in addition to defining the rules for creating and managing passwords, will also have to ensure that they are applied (implementation of automatic systems requiring passwords to be changed after a certain period of time, verification of confidentiality of passwords, deactivation of passwords for former employees, etc.).
Rely on password managers
A password manager is software that administers a secure database. Its main mission is to store your identifiers and all the associated passwords and to allow you to connect automatically to each of the secure sites to which you are subscribed. These programs can be present on the memory space of a computer, a smartphone or a tablet, but also online (cloud), which has the advantage of allowing access from n any machine.
Using them allows you to have only one password to remember: the one that allows access to the password manager.
These tools can be integrated into the company’s password management policy. But in this case, it is up to the people in charge of this file to select the tool that should be used by the company as part of a global subscription, otherwise each employee risks making their own choice.
The best known tools are Dashlane, LastPass, Passky, LockPass or KeePass.