Password Security Tips:
- Use Passwords with 12 Characters or More. Enforce corporate policies prohibiting short, simple, common, and re-used passwords. Research shows that effective passwords are generally twelve characters or longer, and each additional character vastly increases the work a hacker, or his supercomputer, must do to deduce the password.
- Advise Employees to Use a Different Password for Each Site. People often use the same password for multiple sites, including their social networking sites. Computer users should use a different password for each site they interact with. While it’s not possible to stop users from using the same passwords for separate sites, it is possible to educate them about the harm in doing this and to force their passwords to expire every three months. Keeping a password history and forbidding the use of old passwords increases the chances that a password will be unique and unusable by hackers who may have obtained a user’s password to other websites.
- Fortify your web site against attacks like SQL injection and protect password hashes against reverse lookup
- Use anti-virus and other security software to prevent passwords from being stolen by spyware and viruses
- Use Software to Manage Online Passwords. Use software like KeePass (free, open source, multi-platform) or hardware security tools like IronKey to securely remember and manage online passwords. IronKey is portable and automatically logs users into their accounts on any computer to circumvent keyloggers and phishing attacks.
- Do Not Store Passwords in Databases. Databases should never be used to store passwords. Rather they should store the hashes, or hash values, that are created by the characters in a password. That way, if a hacker breaches a database, he won’t find the passwords, only the hashes. Although there are tools that can convert hashes to passwords, not storing passwords in the clear, does add another layer of protection.
- Protecti Corporate Financial Accounts. Employees working with the organization’s financial accounts should use a separate, dedicated computer to manage financial accounts online; don't use that computer for normal web surfing, emailing, social networking, or anything else that uses the Internet.
- Use Tools to Protect Online Financial Sessions. Check if your financial institution offers a software tool like Trusteer's Rapport to help protect online sessions with money management services
- Educate Your Employees. Educate your employees regarding computer security and social engineering scams like phishing