Password management best practices

Tue 11th Jul 2017
Password management best practices

With the latest version of PCI requirements, one of the updates is that businesses must use multi-factor authentication in and out of the network. To implement this, you must use atleast two of the following;
• Something you know (Password, code etc)
• Something you have (code sent to your phone)
• Something you are (fingerprint scan etc)

The problem with passwords
Passwords can be broken easily through brute force attacks and dictionary attacks. Employees tend to select passwords that are easily remembered, making it easy for data thieves to crack them through social engineering. Sometimes employees write them down somewhere or share them other people and store them in application that transmit passwords making it easy for hackers to use and find.

What are you doing wrong with passwords?
1) Default configuration – businesses will keep using default passwords that were set up when their router and POS systems were installed. The default passwords have been made available on the internet, so it makes breaking into your devices easier for hackers.

2) Sharing credentials – Sometimes employees will share accounts and details to save, however this makes it easier for social engineers to gain access to your sensitive data.

3) Not updating passwords regularly – We would recommend changing your passwords on a regular basis, if not by using the same password for a long period of time you are leaving yourself more vulnerable.

4) Choosing words like ‘password’ or ‘admin’ – These are very common passwords that many businesses use and the first words that hackers will use to try and gain remote access to your systems.

Make sure you assign employees unique and individual passwords for their accounts and make sure that they don’t share these with anyone else. Ensure that all your passwords are long and complex using a minimum of 8 digits using lower and upper cases, numbers and special characters. Implementing limited login attempts into the payment system will help prevent brute force attacks and social engineers from trying to gain access to your systems.