Passwords

An SME should ensure its computer network can support the ability to centrally implement an access control such as those provided by modern network systems such as Microsoft Active Directory, or the Lightweight Directory Access Protocol (LDAP). This will enable the SME to ensure those accessing its systems and data can be centrally managed and controlled. The ENISA Tips for secure authentication is an excellent resource that SMEs can refer to to help them address this challenge

When dealing with credentials and more specifically passwords, SMEs should ensure that employees;

• Use strong passwords or passphrases which should be long, with lower-and upper‑case characters, possibly also numbers and special characters. It is preferable that employees use a passphrase – a collection of random common words combined into a phrase that provide a very good combination of memorability and security. For example, three random words like ‘’ogre swingy glamor’’ present a very strong password and if it can be sprinkled with uppercase characters or numbers, it’s even stronger; the passphrase approach is also vetted by many national authorities.
• Do not reuse their work passwords elsewhere.
• Do not to share their passwords with colleagues (nor user accounts).
• Do not attach Post-it notes detailing passwords to their screens or leave passwords otherwise accessible in written form.
• Stay away from the obvious, like using word “password”, sequences of letters like “abc”, sequences of numbers like “123”, keyboard paths like “qwerty” on English language keyboards, and their real life data like date of birth or name of your high school. In password creation, randomness is your friend.

We recommend the use of a dedicated password manager – usually superior in features to the browsers in-built password managers – as they help to keep strong, unique passwords.

Where possible, enforce Multi-Factor Authentication. Many services now provide Multi-Factor Authentication which is an additional step outside of entering a password to verify that the person trying to access the system is indeed who they claim to be. This often is done by either sending a text message to a known number for the account holder, using an app that supports authentication, or by using physical tokens which must be present at the time of accessing the account.

According to the ENISA Threat Landscape Report 2018, weak or reused passwords (56%) and unlocked devices (44%) represent two of the highest risks.

Once an employee leaves that organization, the SME should also ensure that they revoke the employee’s access to business systems.

Master passwords may be stored as part of SME’s contingency planning or to provide backup if some of the administrators is unavailable. However, they need to be stored in a safe place and accessible only to authorized personnel.