There are more bytes of data in the digital universe than there are stars in the observable universe. Making this cosmos of data accessible presents some serious security challenges in terms of granting certain users access to certain data, and keeping that data protected from anyone who isn’t allowed access. Traditional passwords are still the primary method of controlling this access, so it’s imperative that organizations have a password policy in place to make sure employee passwords are a strong first line of defense against cybercriminals trying to gain unauthorized access to company data.
Let’s go back to our astronomical analogy for a moment: if each piece of company data is a star, an employee password is the atmosphere that breaks down any asteroids or deflects any external attackers that might destroy that data star. Weak passwords are synonymous to holes in the atmosphere, leaving your data vulnerable to all manner of cyberattacks, including brute force attacks and password spraying.
The best way to bolster this layer of password defense is by encouraging users to create strong passwords. That’s where a password policy comes in.
What Is A Password Policy?
A password policy is a set of rules, such as stating password length and complexity requirements, that help improve data security by encouraging users to create strong passwords and then store and use them securely. A policy can either be advisory or enforced via the computer system. Usually, it’s part of the organization’s official regulations and taught as a part of induction or security awareness training.
The GDPR (General Data Protection Regulation) doesn’t include any specific requirement for passwords, but states that organizations must process data securely using appropriate measures. However, there are other compliance bodies that do outline explicit regulations. The NIST (National Institute of Standards and Technology) guidelines and HIPAA (Health Insurance Portability and Accountability Act) law both outline standards for password policies that help keep confidential information secure.
NIST originally released their publication in 2004 but updated it in 2017, making significant changes to their advice regarding password complexity and regular password changes. Before creating a password policy, it’s important that you know which, if any, standard your organization needs to be compliant with. Once you know this, you can create your policy in line with those requirements.
Top Tips For Creating A Secure Password Policy
You know what a password policy is and which regulations your organization needs to keep in line with for compliance, so now you’re ready to create your policy. Here are our top tips to help you get started!
Set A Policy To Change Passwords After Compromise
In the first publication of their guidelines, NIST recommended that organizations implement password expiry dates so that employees had to change their passwords every 90 days. However, research has shown that users who have to change their password regularly tend to choose more memorable phrases, which are easier for hackers to crack. On top of that, the organization would have to keep a history log of all previous passwords to make sure that users weren’t just using the same ones each time they had to renew their login information. If breached, this database could be a goldmine of credentials for attackers. In light of this, NIST changed their advice in their 2017 amendment (Section 22.214.171.124, Paragraph 9), stating that users should only change their passwords if there’s evidence of a compromise.
You can look for this evidence in a few ways. The most reliable is to use a password management solution, which can alert you to compromise by scanning the dark web for credentials linked to your domain. The second way is to search for compromised credentials manually through a tool like “Have I Been Pwned?”. You can also ask this particular site to send you emails notifications should they pick up on a breach linked to the email address you searched.
Set A Password/Passphrase Length Policy
The same amendment revoked NIST’s previous advice on enforcing password complexity, because employees who are forced to remember complex passwords often store them insecurely, such as in a plain text document or even on a post-it note stuck to their monitor. Now, rather than enforcing complex passwords, NIST recommends that organizations set a minimum password length of eight characters, and with a maximum length of 64 characters long if protecting particularly sensitive data.
A lot of users find it difficult to remember a long password without resorting to using common patterns such as “1qaz2wsx3edc”, or simply swapping out letters of common words with numbers, such as “P4ssw0rd1”. Because of this, you might want to consider asking your employees to use a passphrase, instead. A passphrase is longer than a traditional password and usually contains letters, spaces, symbols and numbers, and can even contain multiple languages. For example, “My lieblings-language is Denglish!”
Because these characters all work together in a sentence, they’re much easier for the user to memorize without the need for a sticky note. However, it’s still important to remind your employees that their chosen passphrase shouldn’t be directly linked to them—in the above example, the user’s favorite language shouldn’t actually be a mash-up of English and German.
A password management solution or password policy enforcement tool will automatically indicate whether a password is strong enough as the user creates it. This is a particularly good option for creating passwords for individual applications and websites. You can also configure this manually, using Azure AD on Windows devices, PAM on Linux devices, or the enterprise system settings on Mac devices.
Create A Password Deny List
Put together a deny list of common, weak passwords, and vet your employees’ password choices against this list to help prevent dictionary attacks. You can also search your password database for the hashes of commonly used passwords. If some passwords are being used by multiple people, it could be worth offering further training in how to create a strong, unique password.
Again, you can either implement this through a password manager, or configure a custom list of blacklisted passwords manually in your Active Directory.
Set An Account Lockout Threshold
The lockout threshold is the number of unsuccessful login attempts that a user can carry out before their account is locked. Most security guidelines suggest a lockout period of 15 minutes after 5-10 unsuccessful attempts to avoid accidental lockout. Alternatively, you can increase the time delay after each unsuccessful login attempt rather than outright locking the account—this is called “throttling”. This technique helps protect against brute force attacks, while giving users multiple chances to correctly remember their password and avoiding having to recover a user’s account.
Enable Inactive Account Locking
This is similar to a display time-out. It’s important that all users sign out of their corporate accounts when they’re not using them, both at the end of the day and when applications or licenses are no longer needed. You can either encourage users to do this manually, or you can configure system settings to define how long an account stays open and logged in for when not in use.
Technical Ways To Increase Account Security
There is no single silver-bullet solution to identity and access security. For this reason, we recommend layering the above human-centric steps with technical solutions to bolster the security of your corporate accounts. Here are some of the best ways you can do this:
While creating a policy following the previous steps is fairly straightforward, actually enforcing it can be a little trickier. Password policy enforcement software makes it easier for admins to configure password policies at a user, group or computer level, and then automatically enforce these policies whenever a user needs to create a new password. They also often provide integrations with tools that detect the use of passwords that have previously been compromised, to reduce the threat of credential stuffing.
Multi-factor authentication, or MFA, is one of the most effective methods of securing password-protected accounts. MFA is an electronic authentication method that requires the user to verify their identity in two or more ways before they’re allowed access a website, network or application. You might also have heard of 2FA, which is the same except that it only requires two forms of verification from the user.
There are three main types of MFA. The first is something you know, which could be a second password or a PIN. The second type is something you have, such as an authenticator app or smart card. The third type is something you are, i.e. biometric verification such as a fingerprint or retina scan.
Using one of these secondary methods of authentication means that a hacker can’t access a user’s account, even if they manage to crack their password. It’s much more difficult to steal someone’s fingerprint without them knowing than it is to find out the name of their pet!
Password managers secure business accounts by storing users’ passwords inside an encrypted vault. Each user only needs to remember one master password in order to have full access to their vault and, through that, all of their corporate accounts. Password managers can also help users to generate unique, random passwords, which they can synchronize across all of the devices they use for work—including personal tablets and smartphones. This keeps the company’s data secure and makes it easy for admins to monitor password strength across the organization.
Implementing a secure password policy and enforcing it with the help of password policy enforcement software will greatly improve your account security, and the best part is that you can adapt the policy to suit your business’ security needs and budget.
As our tips outline above, we recommend a mixture of employee-centric policies, such as setting passphrases and creating a deny list, and technical policies, such as implementing MFA and a password manager, in order to create multiple layers of protection that hackers will be far less likely to permeate.
Passwords can either be a strong line of defense against cybercriminals, or they can invite hackers into the heart of your organization’s data. Which would you prefer?