We make a significant investment to secure the premises of our businesses – swipe card access for our teams, alarms systems and night time surveillance, but what if the greatest security threat isn’t a physical one, what if it’s digital?  If your business doesn’t have strong passwords protecting access to its applications and data, you are leaving the door open and giving hackers easy access to your most sensitive information.

How do hackers breach passwords?

There are multiple types of attacks: Brute force, Dictionary and Rainbow Tables. These are all based on using a variety of techniques and computing power to guess your password rather than exploiting security vulnerabilities within the systems you are using.

What is a password policy?

A password policy is a set of rules designed to enhance your computer security by encouraging users to employ strong passwords and use them properly. A password policy can be merely advisory, or tools like Microsoft Office 365 can be used to force users to comply with it.

Regardless of how you choose to enforce your policy, these are the areas we think you should consider…

Make it long and strong

Your password policy needs to enforce a common standard that protects your business. Whether you choose a sentence or a combination of characters, numbers and symbols, we  say  “the longer and the stronger, the better.”

Change them frequently and properly

Let’s be honest we’ve all done it before – password “Bob123” at renewal becomes “Bob1234” and the hackers are onto us. New passwords should be just that – an entirely new combination that in no way resembles the old.

We recommend that your passwords should be renewed every quarter.   That way, should a hacker be successful, they have less time to cause damage to your business. It could be more frequent however we are often balancing the risk to our organisations with the productivity of our teams. You might like to consider which applications hold the greatest risk and apply a different renewal horizon to each.

“Password123” and his friends should be blacklisted

Common passwords are the ones we loved in the 90’s. “123456” or “qwerty” are good examples. Easy to remember combinations, but in 2019 they are easily breached. Researchers have uncovered several other combinations that are frequently used:

  • 1q2w3e4r
  • 1qaz2wsx
  • 1qazxsw2

which are all combinations of keys on the left-hand side of standard keyboards. They also found that passwords which express emotion are very common:

  • Iloveyou
  • Ihateyou
  • Trustno1

Tools like Microsoft Office 365 can be configured to stop your team from using some of these more vulnerable combinations.

Passwords containing personal information are a “no go”

Favourite sports teams, brands, music and movie references, family and pet names are also known to be used widely. This information can often easily be harvested by hackers via social media profiles. If you or your team include personal information readily found online in your password, the data is more vulnerable.

We would encourage you to reference these in your organisations computer policy, but just as importantly regularly discuss these with your team as part of building your teams cyber security awareness and resilience.

Keep your passwords private and safe

Don’t share your passwords with your colleagues and certainly don’t write your password down on a post it and stick it to your screen!

Multi Factor Authentication

We can’t talk about passwords without talking about MFA – which is now industry standard. We wrote a blog about MFA and how it works last year.

We often see that MFA being applied to Microsoft Office 365 accounts however it’s worth considering the other applications that hold sensitive business information – your accounting and payroll systems, CRM’s, Mailchimp (newsletter marketing) and your website are good examples. A breach of any of these could result in critical data loss and/or do damage to your brand/reputation.

Surely there’s a better way? The Password Manager

A password manager is a new SAAS service which simplifies this process. It’s designed to keep all your passwords under one encrypted (and password-protected) roof. It generates long and strong passwords for you.

You’re thinking, “All my passwords in one place? Is that safe?”  Most password managers employ MFA so access is only granted with a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for hacker to gain access.  As these tools evolve and are proven to be secure we expect to see a greater uptake.


A strong password policy, cyber security education and cyber security tools like Stack are a very effective first line of defence against hackers. If would like a review of your business’s security profile, we would love to help.