Forensic Control

Password Security for Businesses and Employees

We all need passwords but do we actually understand why and how to manage them?



Why Passwords matter

Passwords are the keys to your digital identity. They protect your personal and professional data from unauthorised access and cyber attacks. However, many people do not pay enough attention to password security, which can put their information and reputation at risk. In this article, we will explain why password management is important, how to create secure passwords, and what to do if you feel your password may not be secure. We will also relate password security to cyber security frameworks, which are sets of guidelines and best practices for managing cyber risks.

Password Management

Password management is the process of creating, storing, and updating passwords for different accounts and devices. Management of passwords is important for several reasons:

  • Prevent identity theft and data breaches. If your password is weak or reused across multiple accounts, hackers can easily guess or crack it and access your sensitive information. This can lead to financial losses, legal issues, or reputational damage.
  • Comply with regulations and standards. Many industries and organisations have specific requirements for password security, such as length, complexity, expiration, and encryption. Failing to meet these requirements can result in fines, penalties, or audits.
  • Improve productivity and efficiency. If you have a strong and unique password for each account and device, you can avoid forgetting or resetting your passwords frequently. You can also use password managers or single sign-on (SSO) solutions to securely store and autofill your passwords.

Password Security: How It Relates to Cyber Security Frameworks

Cyber security frameworks are sets of documents that describe guidelines, standards, and best practices for managing cyber security risk. They help organisations identify, protect, detect, respond, and recover from cyber threats. Password security is an essential part of cyber security frameworks because it affects all these aspects of cyber risk management.

Some examples of cyber security frameworks that include password security recommendations are:

  • Cyber Essentials and Cyber Essentials Plus: A government-backed, industry-supported scheme that helps organisations of all sizes and sectors protect themselves against common online threats. Following the recent updates to Montpelier the need for good password and MFA practice is highlighted throughout the new standards. The use of Multi Factor authentication is needed for any one using passwords with less than 12 characters, the minimum length is 8 characters. 
  • ISO/IEC 27001/ISO 27002: These are international standards that specify the requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). They cover various aspects of information security governance, such as policies, procedures, roles, responsibilities, controls, and audits. They also provide guidelines for password security, such as password length, complexity, expiration, storage, and change.
  • NIST Cyber security Framework: This is a voluntary framework developed by the National Institute of Standards and Technology (NIST) that provides a common language and approach for managing cyber security risk. It consists of five core functions: identify, protect, detect, respond, and recover. It also provides implementation tiers and profiles that help organisations align their cyber security activities with their business objectives and risk appetite. It also references various standards and best practices for password security, such as NIST SP 800-63, which provides technical guidelines for digital identity services, including password authentication.
  • CIS v7: This is a framework developed by the Center for Internet Security (CIS) that provides a prioritised set of actions to improve cyber security posture. It consists of 20 critical security controls that cover various aspects of cyber defence, such as inventory, configuration, vulnerability, malware, access, data, incident, and recovery. It also provides specific recommendations for password security, such as password length, complexity, expiration, change, and reuse.

Password Creation: How to do it right

Password creation is the first step of password management. Here are some tips on how to create secure passwords:

  • Use a passphrase instead of a password. A passphrase is a sentence or phrase that is easy to remember but hard to guess. For example, “I love pizza with pineapple” is a better passphrase than “pizza123”.
  • Use a combination of letters, numbers, and symbols. This makes your password more complex and resistant to brute-force attacks, which try every possible combination of characters. For example, “I love pizza with pineapple” can be modified as “1L0v3P!zz@w!thP!n3@ppl3”.
  • Use different passwords for different accounts and devices. This reduces the impact of a password breach, which occurs when hackers obtain your password from a compromised website or service. If you use the same password everywhere, hackers can access all your accounts with one password.
  • Avoid using personal information or common words. Hackers can use social engineering techniques or dictionary attacks to guess your password based on your name, birthday, address, hobbies, or favourite things. For example, “JohnSmith1980” or “ilovecats” are bad passwords.
  • Use a password generator or a password manager. These are tools that can help you create and store random and strong passwords. They can also help you update your passwords regularly and sync them across multiple devices.

Password Protection: What to do if you feel something isn’t right

Password protection is the process of keeping your passwords safe from unauthorised access or disclosure. 

Signs Your Password Might Not Be Secure:

  • You’ve used the same password across multiple sites.
  • You haven’t changed your password in over a year.
  • You’ve received a notification about a potential breach from a service where you have an account.
  • Your password doesn’t meet the criteria mentioned above.

What to Do If You Feel Your Password Is Not Secure:

  • Change your password immediately. If you suspect that your password has been compromised or exposed, you should change it as soon as possible. You should also change any other passwords that are similar or related to the insecure one.
  • Enable multi-factor authentication (MFA). MFA is a security feature that requires you to provide more than one piece of evidence to verify your identity when logging in to an account or device. For example, you may need to enter a code sent to your phone or scan your fingerprint in addition to entering your password.
  • Monitor your account activity and alerts. You should regularly check your account settings, logs, and notifications for any suspicious or unusual activity or changes. For example, you may receive an email or a text message informing you of a new login attempt or a password reset request.
  • Report any incidents or issues. If you notice any signs of a password breach or a cyberattack, you should report them to the relevant authorities or parties as soon as possible. For example, you may contact your IT department, your service provider, or law enforcement.

Password security is a vital component of cyber security that affects both businesses and employees. By following the tips and steps outlined in this article, you can create and manage your passwords more effectively and securely. You can also use cyber security frameworks to guide your password security practices and align them with your organisational goals and risk levels. By doing so, you can protect your digital identity and data from cyber threats and enhance your cyber resilience.

If you feel you may need a little more guidance in getting your password strategy in place please do speak to a member of the team, we will be happy to advise!


Related content

As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones.


Sign up here if you wish to receive updates and news from Forensic Control by email. We will not send you anything else and you may end the subscription at any time.

By providing your email address, you agree to receive marketing
messages as per our Privacy Policy