Tips for Your Vendor Security: Building the Right Password Policy
Organizations still rely on passwords to ensure security, and so having secure passwords has never been more important. That’s why this subject is worth revisiting in honor of National Cybersecurity Awareness Month (NCSAM).
The issue of passwords is exacerbated even more when considering the supply chain. After all, when your vendor credentials get breached – that becomes your problem. The massive data breach at Target started as network credentials that were stolen from a refrigeration, heating and air conditioning subcontractor. Bottom line? Target was breached due to compromised credentials at a supplier.
Here are top tips for building a password security policy. Feel free to share these with your third parties:
1. Instruct your employees not to use personal information.
Everything including their primary school, address, birthday, company name and hometown should be off limits. All this information could be publicly available, and they may even have many of these details on social media profiles. In fact, any word that is found in the dictionary should not be used as a password.
2. Strive for longer and more complex passwords.
Cracking a common password like “qwerty,” “password,” or “abc123” can be accomplished in less than one second. Compare that to a 16-character password that uses a combination of random capital and lowercase letters, numbers and symbols, which would take centuries to crack.
3. Prevent password reuse across company platforms.
Employees should not use the same password across multiple sites. If a hacker breaches one account, then all the other accounts that use that password could be compromised as well.
4. Ensure passwords are changed on a regular basis.
Using the same password for a long period of time increases the risk. It is a best practice to change passwords at least every 90 days and not to repeat prior passwords.
5. Add two-factor authentication.
2FA requires users to provide a secondary authentication, such as a security token or a biometric factor, as well as a password. This adds an additional layer of security, reducing the risk of hackers accessing sensitive data. However, according to Yubico 2019 State of Password and Authentication Security Behaviors Report, 67% of consumers don’t use 2FA and only 55% of respondents use 2FA at work.
6. Create additional safeguards
Make sure to add a mechanism that will lock the user in case of multiple password attempts. At the same time, there should be a mechanism to avoid denial-of-service attacks, where an attacker will attempt to lock out everyone in the company.
7. Recommend using a password manager.
As the number of passwords increases, the only realistic way to keep track of all passwords is with a password manager.
Companies can check if any of their employee credentials have been compromised in a breach through sites like Have I Been Pwned or https://authlogics.com/. If credentials have been compromised, then change them immediately on any sites they are used on.
Good password security is the first step in securing and protecting both enterprise and vendor data from hackers.
This is the second in a series in honor of National Cybersecurity Awareness Month (NCSAM) and is dedicated to helping organizations guide suppliers with their cybersecurity. Check out our previous article about supplier phishing attacks prevention here.