No KIS Password Management Guide for the Office (and Beyond)

Password Management Guide

As a managed services provider for Miami area businesses, we provide cyber security services. That includes training teams on the best password management policies and tools. Here are some tips to help your business.

The KIS philosophy reminds us to “keep it simple.” (We dropped the rude second S). KIS works in many areas of business, but when it comes to passwords, simple can be dangerous. 

If your password is weak, overused or contains personal data, the best cybersecurity system in the world can’t help you. Your passwords–both personal and work-related–need to be strong, have no personal data attached and be fairly specific to the site you are accessing. They should be unique to each and every account. In other words, it’s best to KIC (keep it complex). But complex doesn’t need to mean complicated. With the right password management tools, staying secure can also be easy.

This password management guide can help. Share it with your team or even use it to create a policy for your business. 

Strong Password Do’s and Don’ts

  • DO make a unique password for every account. Don’t reuse the same password on any other account. If a hacker latches on to that one password, all your sites are compromised.
  • DO include at least one uppercase letter, one lowercase letter, one number and one special character (e.g., !@#$%^&*()_+). It sounds difficult but it doesn’t have to be. If your favorite password is something like SurfGuy, change it to$urf#Guy24. DO this even if the platform doesn’t require it.
  • DON’T use anything that helps you remember your password as it also makes it easier for others to guess it. Forget about using your name, birthdate, address, pet’s name or other personal information.
  • DON’T use a word or phrase that can be found in the dictionary. And DON’T be tempted to simply add a number at the beginning or end of that word or phrase. Believe it or not, there is software that can automatically plug in common words from the dictionary in attempts to guess your password.
  • DO use passphrases, groups of words with special characters or numbers interspersed to make them non-dictionary terms, but easier to remember. They don’t have to be long. For example, “/\Gr8tPw0rd!” is 12 characters, has upper and lowercase letters, numbers and special characters, without using words found in the dictionary. But makes it memorable to YOU.
  • DON’T write them down. Some guidelines, including those from Microsoft, are saying that long and complex passwords are harder to remember and advocate the KIS method, But here at Internos, we recommend the KIC (keep it complex) method of longer, stronger passwords for two reasons:
    • If you are in a high-compliance environment, most cybersecurity frameworks have password requirements that include longer passwords and specific character types.
    • Microsoft and others are advising the simpler method coupled with the direction to use multi-factor authentication (MFA). However, MFA isn’t an option on all sites and platforms, so you’re left with a weak password for protection. 

In addition, once you’ve created your passwords:

  • TURN OFF your browser’s suggest passwords setting. 
  • DON’T save passwords in a spreadsheet unless it’s encrypted. Spreadsheets are the first place a hacker will look if they gain access to your device.
  • DON’T save it in any other unencrypted tools. Not in Contacts, Notes or other software that is unencrypted.
  • For better ways to manage passwords, check out the password management tools listed below.

When to Change? NOW!

  • If you’ve been using the same password on an account since you opened it.
  • If you’ve had the same password for multiple accounts
  • If your password doesn’t meet the criteria to make it strong
  • If you’re worried it might have been or might be compromised.

Begin by changing the accounts that are most likely to be attractive to hackers: business accounts, bank accounts and your mobile carrier (to protect yourself from SIM swapping).

Use a Password Management Tool

Password management tools securely store all your passwords in one place. All you need to remember is one “master password” to log in to the password manager. Then, when you log in to other systems, the password manager brings up the relevant credentials for each account. You can even choose to have those usernames and passwords automatically entered by the password manager.

There are several secure and reliable password management tools we recommend for businesses. They work across devices while encrypting and protecting your passwords. Many offer free versions for individual users, as well as business or enterprise versions that allow you to set up shared folders and more. Some also securely store credit cards, notes and other information. The top password management tools for business are:

Once you select a password manager, you can use it to create unique and strong passwords for you. Best of all, you don’t have to remember them. Password Managers are similar to saving passwords to your browser with one HUGE difference: Password managers store your passwords with end-to-end, non-reversible encryption.

Password Management for Offices and Teams

You have the right as a business owner, IT team or manager, to require a certain level of password security for your employees’ business accounts. You can and should implement strong passwords in the workplace.

  • Employees should be trained about the need and the dangers of today’s cybersecurity. You should have rules for your systems that require strong passwords, but don’t neglect your employees’ personal accounts which can put your business at risk as well through phishing and other social engineering attempts.

>> Download our free Phishing Prevention Cheat Sheet

  • Set up application-side settings which enforce strong passwords. Most systems and applications allow you to control the parameters users must meet in setting a password.
  • Use your lockout feature after a specific amount of failed login attempts are made (e.g., three to five) within a certain time frame (e.g., 12 hours). This helps prevent brute force attacks by a hacker simply attempting multiple passwords over and over trying to guess the right one.
  • Don’t ask general staff to change their passwords every 30 , 60 or 90 days.This often backfires because employees choose weaker passwords or write them down to remember them. 
  • Do require system administrators or people handling sensitive data to change passwords periodically.
  • Use the same strong password guidelines when you set up one-time passwords (OTP) for a new employee or when a user’s password is lost or breached. Require that initial and one-time passwords be changed after login. This makes sure that only users know their passwords and wipes away any potential issues with the way that password was communicated (text, email or written down). Enforce initial or one-time passwords to expire if they aren’t used in a certain period of time (e.g., 48 hours).
  • Create a strict “no-sharing of passwords” policy. Where exceptions are needed for business reasons, make sure passwords are shared through a password manager. Shared passwords should be changed more frequently as well.
  • Change, then disable default account passwords. If your system comes with default passwords, change them as soon as the system is installed and configured and disable the default password once the admin user passwords have been created. This shuts the “back door” into your system.
  • Store passwords using strong algorithms. Protocols that transmit them as plain text (e.g., FTP, HTTP, SMTP) or that have known security vulnerabilities (e.g., DES encryption, MD-4 hash algorithm) should not be used. Instead, use end-to-end encryption that is non-reversible.
  • Set up password change notifications or reset a procedure for users to notify their IT team if they didn’t initiate the change.
  • Use MFA (Multi-Factor Authentication) for your entire business. Encourage the use of MFA Authentication Apps, such as:
  • When an employee leaves your company, change passwords the minute they walk out the door!

Whether you need to set up better password management policies and tools for your business or are looking for an IT partner, we’re here to help. Contact us or book a meeting, virtual or in person.

Sandro Alvarez

Sandro is the CEO of Internos Group and a partner. He has spent the past 30 years building a career in IT, picking up an array of hardware and software certifications along the way. He’s a visionary who sees the big picture, then gets straight to work understanding every gear that grinds.

Use our Managed Service Provider Checklist to Find the Right

Our easy-to-follow checklist can guide you through the process of the best IT services provider for your business.

Are you a first-timer to IT support? Maybe you aren’t happy with your current MSP? This checklist will help you help you outline and define:

  • Your business goals for the next few years
  • The stats that potential MSPs will need to work out a plan for your company
  • The risk areas in your backup and cyber security practices
  • What you expect from your IT provider
  • And more!