Seven Password Best Practices for Retailers

By: Tony Pusateri, Business Development Manager ISV & Resellers at APG Cash Drawer

No one really likes to use passwords, but they are critical to securing access to systems with valuable business data. Retailers, like any other business, should require passwords as part of their security policies to protect POS systems, backroom applications, customer databases and any other business system.

Whether employees work at the POS, the warehouse, the finance department or on the road connecting to the network through VPN, everyone should follow the password policy to minimize the chance of a cyber-attack or accidental data leak.

The following are seven password best practices every retailer should implement:

  1. Require strong passwords or passphrases. Simple passwords are easy to crack, which is why they should include upper and lowercase letters, numbers and symbols. But such combinations are easy to forget, so consider requiring passphrases that employees are more likely to remember. A nonsensical word combination such as GrassTireMeet will stick to the user’s mind while being hard to crack.
  2. Adopt two-factor authentication. Requiring a second authentication method is always a good idea, especially for access to critical systems. With two-factor policies, users must verify their identities through a code they receive by text or security token. New options are also becoming available, such as biometrics such as thumbprints, facial recognition and retina scans. As these methods improve, they are likely to become a routine part of authentication procedures.
  3. Apply password encryption. A password encryption tool adds a layer of protection by making passwords virtually impossible to crack. Even if a cybercriminal gets a hold of a password while in transit over the network to, say, access a website or cloud resource, the password data would be useless without a decryption key.
  4. Limit user privileges. One of the common mistakes businesses make is to allow too many users to access sensitive information. Employees should have access only to the systems they need for their jobs. For instance, no one but cashiers and their managers, should have access to the POS application. The same goes for finance, HR and any other specialized business function. The more you limit user privileges, the less likely you are to suffer a security breach.
  5. Use a password manager. Keeping track of multiple passwords is hard enough for users, but when you’re the administrator in charge of password management, it’s even tougher. The use of password management tools helps ease the burden. Password managers provide a secure repository for all passwords and passphrases by encrypting the data. They’re available for users and for administrators who must keep a centralized record of all passwords.
  6. Deactivate accounts no longer in use. A key component of any password policy is to make sure accounts of employees who leave the company are immediately closed. That way, former employees cannot access company systems.
  7. Publish the password policy. Simply having a policy won’t get you far. It should be disseminated to all employees, either as part of comprehensive security policy or as a standalone. It should outline what types of passwords to use and which not to use, and how frequently employees must change them. It also should include common-sense rules such as a prohibition against sharing or reusing passwords.

Enforcing strong password policies is crucial because stolen and weak passwords are a common cause of security breaches. While requiring passwords can be a drag for users, the reality is they’re unavoidable. And if you successfully make the case for why passwords are so critical, users are more likely to embrace them.