Latest|Cyber Security

The password security tips businesses should use to stop hackers in their tracks

Typing on keyboard
David Sandell
March 25, 20253 mins read

David Sandell is the CEO of CI-ISAC, a not-for-profit organisation providing cyber threat intelligence (CTI) sharing services. In this piece, David shares 14 password tips to protect your business from cyber attacks.

Cybercrime is on the rise across Australia, and it’s not just large corporations that are being targeted. If you run a medical centre, a financial services firm, or a transport logistics company, your business is part of Australia’s critical infrastructure, making it a potential target for cybercriminals anywhere in the world.

The impact of these crimes is devastating. In 2020-21, the average cost of cyberattacks on small and medium businesses was $39,000 and $88,000, respectively. When you take into account the impact these crimes have on customer trust and brand reputation, the real cost is much higher and is felt by businesses long after the attack has occurred.

The good news is that one of the simplest yet most effective ways to safeguard your business is by strengthening your password security practices. Here’s how you can improve your password management processes and implement best-practice strategies.

Who should be able to access your passwords?

Passwords are like keys to your business’s most valuable information. In the same way, you wouldn’t hand out copies of your office keys to just anyone, passwords should only be accessible to those who genuinely need them. This is known as the ‘need to know’ principle, ensuring that access is restricted to only authorised individuals.

Other key practices to include in your information security policy are:

  • Never share passwords with colleagues or external parties.
  • Avoid writing passwords down or storing them in unsecured documents.
  • Use unique passwords for work and personal accounts.
  • Never re-use passwords between accounts, both professional and personal.
  • Enable multi-factor authentication (MFA) for sensitive accounts.
  • Ensure that passwords are revoked when employees leave or change roles.
  • Use a secure password manager to generate and store complex passwords.

Why strong, unique passwords matter

A weak or reused password is an open invitation for cybercriminals. In fact, simple passwords are as ineffective as having no password at all. The stronger your password, the harder it will be for hackers to crack it successfully. The strength of a password ultimately comes down to three crucial factors: length, complexity, and unpredictability.

Here’s why they matter:

  • Length: The longer the password, the better. Each additional character you add to your password exponentially increases the difficulty of cracking it. At a minimum, you should be aiming to create passwords with 14 characters or more.
  • Complexity: A mix of uppercase and lowercase letters, numbers, and symbols strengthens your password significantly. The greater the mix of characters you use, the longer it will take for hackers to crack them.
  • Unpredictability: Avoid using dictionary words, personal information, or common phrases, as common hacking techniques use these words to quickly crack login details.

Even strong passwords can be compromised if they are exposed in data breaches, so it’s important to enable multi-factor authentication for as many accounts as possible.

It’s also essential to regularly update your passwords. Passwords with fewer than eight characters should be changed monthly, while longer passwords should be changed every three to six months. If a password is shared among multiple users, consider changing it more frequently to reduce security risks.

Managing shared passwords

If your business uses shared accounts, securing those passwords is critical to protecting your data. Instead of keeping them on a sticky note or in a spreadsheet, use a password vault or a privileged access management (PAM) system to store and manage them securely.

Best practices for managing shared passwords include:

  • Using temporary, unique passwords that expire after each use when possible.
  • Implementing scheduled password rotations to minimise security risks.
  • Logging all password access to track who accessed what and when.
  • Ensuring shared passwords are complex and unique, particularly in legacy systems that don’t support automatic rotation.

Whether it’s for individual or shared passwords, a password manager is one of the best investments your business can make in cybersecurity. It allows you to securely store and generate complex passwords, reducing the temptation to reuse or simplify them. Whenever your employees need access to a password, they can go to their password manager vault to access it.

Password security is a simple yet powerful defence against cyber threats. By following these best practices, businesses can protect themselves from unnecessary risks and costly breaches.

Recommended by IR
Navigating tough times: how small businesses can grow against the odds
Strategy
Navigating tough times: how small businesses can grow against the odds
Common errors in employment contracts that can leave employers vulnerable
Recruitment
Common errors in employment contracts that can leave employers vulnerable
Empowering change: how SMEs can build inclusive workspaces
Planning & Management
Empowering change: how SMEs can build inclusive workspaces
Have you been using Instagram all wrong?
Social Media
Have you been using Instagram all wrong?
How your small business can build its highest-performing team
Leadership
How your small business can build its highest-performing team
Author's latest articles
×
Essential insights delivered straight to your inbox. Sign up now - it's FREE
By submitting your details you confirm you have read our T&Cs and privacy policy.