It can be pretty difficult to visualize the amount of data we generate, but let’s give it a go. Imagine the night sky with 40 times the number of stars you’d usually see. Pretty awe-inspiring, right? At the start of this year, there were 40 times more bytes of data in the digital universe than the number of stars in the observable universe.
Making this cosmos of data accessible presents some serious security challenges in terms of granting certain users access to certain data, and keeping that data protected from anyone who isn’t allowed access. Traditional passwords are still the primary method of controlling this access, so it’s imperative that organizations have a password policy in place which makes sure that employee passwords are a strong first line of defense to company data.
Let’s go back to our astronomical analogy for a moment: if each piece of company data is a star, an employee password is the atmosphere that breaks down any asteroids or deflects any alien attackers that might destroy that data star. Weak passwords are synonymous to holes in the atmosphere, leaving your data vulnerable to all manner of cosmic cyberattacks.
The best way to bolster this layer of password defense is by encouraging users to create strong passwords. That’s where a password policy comes in.
What Is A Password Policy?
A password policy is a set of rules, such as stating password length and complexity requirements, that help improve data security by encouraging users to create strong passwords and then store and use them securely. A policy can either be advisory or enforced via the computer system. Usually, it’s part of the organization’s official regulations and taught as a part of induction or security awareness training.
The GDPR (General Data Protection Regulation) doesn’t include any specific requirement for passwords, but states that organizations must process data securely using appropriate measures. However, there are other compliance bodies that do outline explicit regulations. The NIST (National Institute of Standards and Technology) guidelines and HIPAA (Health Insurance Portability and Accountability Act) law both outline standards for password policies that help keep confidential information secure.
NIST originally released their publication in 2004 but updated it in 2017, making significant changes to their advice regarding password complexity and regular password changes. Before creating a password policy, it’s important that you know which, if any, standard your organization needs to be compliant with. Once you know this, you can create your policy in line with those requirements.
Top Tips For Creating A Secure Password Policy
You know what a password policy is and which regulations your organization need to keep in line with for compliance, so now you’re ready to create your policy. Here are our top tips to help you get started!
Set A Policy To Change Passwords After Compromise
In the first publication of their guidelines, NIST recommended that organizations implement password expiry dates so that employees had to change their passwords every 90 days. However, research has shown that users who have to change their password regularly tend to choose more memorable phrases, which are easier for hackers to crack. On top of that, the organization would have to keep a history log of all previous passwords to make sure that users weren’t just using the same ones each time they had to renew their login information. If breached, this database could be a goldmine of credentials for attackers. In light of this, NIST changed their advice in their 2017 amendment (Section 18.104.22.168, Paragraph 9), stating that users should only change their passwords if there’s evidence of a compromise.
You can look for this evidence in a few ways. The most reliable is to use a password management solution, which can alert you to compromise by scanning the dark web for credentials linked to your domain. The second way is to search for compromised credentials manually though a tool like “Have I Been Pwned?”. You can also ask this particular site to send you emails notifications should they pick up on a breach linked to the email address you searched.
Set A Password/Passphrase Length Policy
The same amendment revoked NIST’s previous advice on enforcing password complexity, because employees who are forced to remember complex passwords often store them insecurely, such as in a plain text document or even on a post-it note stuck to their monitor. Now, rather than enforcing complex passwords, NIST recommends that organizations set a minimum password length of eight characters, and with a maximum length of 64 characters long if protecting particularly sensitive data.
A lot of users find it difficult to remember a long password without resorting to using common patterns such as “1qaz2wsx3edc”, or simply swapping out letters of common words with numbers, such as “P4ssw0rd1”. Because of this, you might want to consider asking your employees to use a passphrase, instead. A passphrase is longer than a traditional password and usually contains letters, spaces, symbols and numbers, and can even contain multiple languages. For example, “My lieblings-language is Denglish!”
Because these characters all work together in a sentence, they’re much easier for the user to memorize without the need for a sticky note. However, it’s still important to remind your employees that their chosen passphrase shouldn’t be directly linked to them – the user in the example above doesn’t actually speak German.
A password management solution will automatically indicate whether a password is strong enough as the user creates it. This is a particularly good option for creating password to individual applications and websites. You can also configure this manually, using Azure AD on Windows devices, PAM on Linux devices, or the enterprise system settings on Mac devices.
Create A Password Deny List
Put together a deny list of common, weak passwords, and vet your employees’ password choices against this list to help prevent dictionary attacks. You can also search your password database for the hashes of commonly used passwords. If some password are being used by multiple people, it could be worth offering further training in how to create a strong, unique password.
Again, you can either implement this through a password manager, or configure a custom list of blacklisted passwords manually in your Active Directory.
Set An Account Lockout Threshold
The lockout threshold is the number of unsuccessful log in attempts that a user can carry out before their account is locked. Most security guidelines suggest a lockout period of 15 minutes after 5-10 unsuccessful attempts to avoid accidental lockout. Alternatively, you can increase the time delay after each unsuccessful log in attempt rather that outright locking the account – this is called “throttling”. This technique helps protect against brute force attacks, while giving users multiple chances to correctly remember their password and avoiding having to recover a user’s account.
Enable Inactive Account Locking
This is similar to a display time-out. It’s important that all users sign out of their corporate accounts when they’re not using them, both at the end of the day and when applications or licenses are no longer needed. You can either encourage users to do this manually, or you can configure system settings to define how long an account stays open and logged in for when not in use.
Multi-factor authentication, or MFA, is one of the most effective methods of securing password-protected accounts. MFA is an electronic authentication method that requires the user to verify their identity in two or more ways before they’re allowed access a website, network or application. You might also have heard of 2FA, which is the same except that it only requires two forms of verification from the user.
There are three main types of MFA. The first is something you know, which could be a second password or a PIN. The second type is something you have, such as an authenticator app or smart card. The third type is something you are, i.e. biometric verification such as a fingerprint or retina scan.
Using one of these secondary methods of authentication means that a hacker can’t access a user’s account, even if they manage to crack their password. It’s much more difficult to steal someone’s fingerprint without them knowing than it is to find out the name of their pet!
Password managers secure business accounts by storing users’ passwords inside an encrypted vault. Each user only needs to remember one master password in order to have full access to their vault and, through that, all of their corporate accounts. Password managers can also help users to generate unique, random passwords, which they can synchronize across all of the devices they use for work – including personal tablets and smartphones. This keeps the company’s data secure and makes it easy for admins to monitor password strength across the organization.
Implementing a secure password policy will greatly improve your account security, and the best part is that you can adapt the policy to suit your business’ security needs and budget.
As our tips outline above, we recommend a mixture of employee-centric policies, such as setting passphrases and creating a deny list, and technical policies, such an implementing MFA and a password manager, in order to create multiple layers of protection that hackers will be far less likely to permeate.
Passwords can either be a strong line of defense against cybercriminals, or they can invite hackers into the heart of your organization’s data. Which would you prefer?