The New Rules for Passwords in 2019

Access control is fundamental to security – whether in your home, your office or your IT infrastructure. If passwords are the keys that open the doors to your IT estate for legitimate users, how do you stop them falling into the possession of malicious actors?

#1. Access control is fundamental to good password management

What are your passwords protecting? And who really needs access to what?

It’s vital to understand:

• which systems are critical to each job role?

• which systems pose security risks?

• where are the critical points of failure and most sensitive data located?

• where are the potential back doors?

It’s the most sensitive data the bad guys will be after, so the fewer people who have access to this, the better. User rights are the way to manage this; keep your IT estate as locked down as it can be while still supporting users effectively.

Importantly, ensure that people who have systems administration logins or logins with access to sensitive systems don’t use those logins for their day-to-day work. Give these users a separate login with minimal access rights that they can use for checking emails or browsing the Internet.

#2. Get the basics right

The essential password rules still apply:

• Use strong passwords of at least 8 digits with a mix of cases, numbers and symbols.

• Do not use easy to guess words like the names of your children/pets/football team etc.

• Make it easy for staff to access guidance (whitelist / blacklist / 3 random words / etc)

• Ensure that mobile devices are at least as well protected as your office devices with strong passwords

• Don’t reuse passwords – make them unique

• Never save passwords using a web browser

• Log out of systems and websites when you’ve finished using them

#3. Double down on two-factor authentication

Two-factor authentication (2FA) is one of the most secure methods to implement and should be used on all important / sensitive business systems. We strongly recommend this should include Office 365.

#4. Be wary of phishing

Increasingly, it’s people rather than devices that are being targeted for the purposes of committing cyber crime. Rather than hack a password using complex IT knowledge to access a computer, most password breaches now occur by simply asking for them – albeit in the form of fake emails or “phishing”. Staff training or “people patching” is your best policy here.

#5. Use a password manager but choose wisely

Researchers have found that not all password managers are created equal.

In particular, Android-based password managers leave users exposed to scammers who create fake apps. Because these password management apps (including Dashlane, Keeper, LastPass, and 1Password) have a hard time distinguishing between legitimate and fake applications, users can find their details autofilled before they have time to spot the spoofed app.

If your users are using Android devices, the researchers recommended switching to Google Smart Lock.

#6. Understand the risks of the dark web

Researchers have found that stolen personal data sells for as little as £10 on the dark web. This information includes everything hackers require to conduct identity theft and other online fraud; applying for loans or credit cards in their victim’s name, for example.

Organisations can help users stay safe by checking whether their own users’ details have been compromised and are being sold on the dark web. For individuals, an important resource for this is the Have I Been Pwned website – an online public database of breaches, leaks and hacks. For whole businesses and organisations, there are better tools available that can continuously monitor for this kind of activity.


If you do find staff have been compromised, you’ll need to help them understand the risks. In particular, they should immediately change their passwords – especially if they are using the same password on multiple sites. Or, worse, using a compromised password to access work systems or devices.

Of course, passwords are only part of the security jigsaw and we’d always recommend the Government-backed Cyber Essentials scheme as your first step towards better Cyber Security.

You can find out more about the scheme and contact us about anything security related HERE.



see all