Security Recommendations: Password and Account Policy

Controlling access to sensitive information is a crucial measure when protecting your privacy and know-how. For this reason, the first part of our Security Recommendations series focuses on typical access control – password and account policies.

Why is it important? 

To restrict access to your user accounts as a preventive measure against data disclosure or manipulation. Ineffective policies or bad habits regarding passwords and accounts may undermine such efforts, allowing unwanted people to access the accounts.

What to do:

1. Use account passwords.

  • Some systems (e.g., operating systems) allow disabling password authentication. If you are not using any other authentication method, use a password.
  • Having at least a weak password can prevent some people from attempting to access your account.

2. Use strong passwords.

  • Do not use easy-to-guess passwords (e.g., “0000”, passwords related to your name, surname, or personal life).
  • Opt for randomly generated passwords containing a mix of alphanumeric and special characters.

3. Under no circumstances share your accounts orpasswords with other people.

  • Remember that the account owner (you) is responsible for all actions made by the account. It would be very difficult (almost impossible) to prove which actions were made by someone you shared your password with.
  • Sharing accounts and passwords with other users is usually a strong violation of the company’s security policy.

4. Use a password manager for unmemorable passwords.

  • Use a well-known password manager (e.g., Bitwarden, KeePass) for password generation and management.
  • Password managers allow you to generate unique passwords for each one of your accounts, greatly enhancing their security.
  • Be aware that password managers create a single point of failure. All your passwords stored within the manager can be easily compromised, if the database is not adequately secured. Therefore, use a strong password for accessing your password database.

5. Log out after finishing the work.

6. Do not use automatically saved passwords.

  • For browsers, this applies especially if your browser is synchronized with your personal account.
  • For remote sessions, enforce entering a password on every session login.

7. Enable multi-factor authentication for services that provide it.

  • For example, you can use a mobile application generating timed one-time passwords (TOTPs).

8. Secure all devices used to access company accounts.

  • You should also secure all your personal devices that are used to access your company’s accounts.

9. Limit the number of devices that have access to company’s accounts.

  • Don’t use company’s accounts where not necessary or allowed.
  • For example, think about whether you absolutely need to have your company’s internal chat (e.g. Slack, Google Chat, Teams) on your personal smartphone.

10. Use private browsing.

  • This protects your privacy (ignoring your activity, history, cookies, forms, passwords, etc.).
  • During a short break, you can also use private browsing for consuming non-work-related but still safe-for-work content such as news, recipes, memes or deals.