Publication by Cybersecurity & Infrastructure Security Agency

Strong Passwords Mean Safer Business Accounts

Small to medium businesses are a regular target for malicious hackers and a common entry point for digital thieves is stolen or weak passwords.  

But the good news is, you can keep your business safe by requiring employees to use strong passwords and password managers.   

Set the example by using long, random and unique passwords on all your personal and business accounts—and use a password manager to remember them! Then work with your IT staff or provider to require employees to use strong passwords to access your systems. This will keep your data safe and protected. 

Encourage your customers and vendors to also take steps to protect their online accounts, especially when they do business with your organization. 

Encourage Strong Passwords in the Workplace

Create a safer workplace by establishing smart employee password practices.

1. Require strong, unique passwords

Keep your networks secure by enforcing strong password policies. Strong passwords are:

• Long—at least 16 characters long (even longer is better).
• Random—like a string of mixed-case letters, numbers and symbols (the strongest!) or a passphrase of 4 –7 random words.
• Unique—used for one and only one account.

Speak with your IT department or security manager to require strong passwords. Often, you can create settings that require user passwords to meet certain standards and criteria (such as length). Given the current threat environment, review the policies around customer password strength, and consider increasing those requirements to help them protect themselves. 

2. Provide an enterprise-level password manager for your employees

An enterprise password manager can be a good step to increase security for a smaller company. A good password manager creates, stores and fills in passwords automatically so you only have to remember one strong password—for the password manager itself.  

Providing a company password manager will make it easier for your employees to use strong passwords and protect themselves, your business and your customers. Read more about password managers here. 

As you grow, you will probably want to move to an identity and access manager (IAM) with single sign-on (SSO) where an identification method enables users to log in to multiple applications and websites with one set of credentials. Check out CISA’s guidance on SSO for SMBs. However, a password manager is a good first step. 

3. Require that default credentials be changed on all software and hardware products

Many hardware and software products come “out of the box” with default usernames and passwords that are easily exploited. These default passwords may be physically labeled on the device or even readily available on the internet. Require that staff change all default credentials.

© Cybersecurity & Infrastructure Security Agency