editione1.0.0
Updated October 9, 2023At this point, we assume your business email domain is set up, and you have your own administrator account. Now we need to make sure when your employees log into their accounts, they can set everything up safely.
Most major business email account providers will already have strong rules that users have to follow when making their first password. These rules are password characteristics like numeric, alphanumeric, upper-case, lower-case, and special characters. Those of us with scar tissue from old, enterprise workplaces might remember needing to reset your password every 90 days too.
Times have changed, even if the old enterprise workplace password policies have not.
danger The most important characteristics of secure passwords is that they are unique and long. You might not be able to tell if a password an employee uses is unique, but you can ensure that your business email account settings require passwords over 12 characters in length.
Another helpful business email account setting is account lockout, where the system disables or delays user login after a defined number of unsuccessful access attempts. This can help prevent automated attacks, such as an attacker cycling through a list of common passwords. This won’t always be available, but is a good one to have enabled if you can.
For most major email providers, you won’t have to actually change anything in the password policy and can usually go with out-of-the-box configurations.
important If the out-of-the-box settings require things like resetting your password every 90 days or requiring one of every possible character type, it is actually better to disable those in exchange for requiring a longer password. Ideally, your employees will be able to take advantage of the password manager you provide them to auto-magically make passwords for them (which we will get into later).
Now is a great time to check just to make sure the password policy encourages and guides your users to make strong password choices. Advice from NCSC UK and CERT NZ can be helpful resources that follow our advice of having a configured policy that requires long passwords and no password age.
It’s also important to require 2FA for all your employees. Your business email provider should allow you to toggle a setting that requires it to be set up for everyone, and if not, should at least tell you who has and who hasn’t set it up.
Remember how we discussed the different types of two-factor authentication? This is the point where you have to think a bit more about which types of two-factor authentication you use. You are going to start having accounts that have really sensitive access, like the administrator account to your business email provider. They have what is referred to as “privileged access,” which means they have permissions to perform risky actions like changing users or security configurations, so you want to make sure the security measures for accessing these accounts are as strong as they can be.
For your administrator accounts, you want to use stronger 2FA setups. This includes using hardware security keys or push notifications to your phone. It is unfair to assume that your staff know how to use a security key (or even know what they are, and how to keep them safe)—they don’t get security training and are not expected to be technically skilled. It is OK for them to use the other forms of 2FA, such as a code delivered via text message, if their accounts don’t have any administrative access.