Compromised passwords are a leading reason for data breaches. In fact, more than 80% of hacking-related breaches are caused by password-related issues. A strong password policy can help ensure everyone in your business uses strong passwords.
So, what is a password policy? How can you create a standard password policy? And what are password policy best practices? Let’s find out below.
What Is a Password Policy?
A password policy is a set of guidelines to make everyone in a company create a strong password and use them properly to enhance computer security and online security.
A standard password policy includes what users need to consider and what they should avoid when creating, changing, storing, or sharing passwords.
For example, your password policy can dictate that users must create longer passwords, including a certain number of special characters.
Depending on your organization’s needs, you can make your password policy advisory mandatory.
Why are Password Policies Important?
A password policy can help you enforce the practice of using strong, unique passwords in your business to enhance password security.
Here are key reasons why implementing a strong password security policy is critical for your business:
- Password reuse is a security blunder. A password policy can quickly rule out password reuse practice
- A strong password policy with a clause of multi-factor authentication helps you minimize various security risks to a great extent
- Everyone in your company will start creating complex passwords and storing them safely. As a result, your passwords will be safe from brute force attacks and other password-related attacks
- A strong password policy signals to your customers and vendors that you are taking strict measures to safeguard passwords. This can help build trust with them
Last but not least, a password policy cultivates a cybersecurity culture that is of utmost importance in today’s world, as small businesses are increasingly becoming the target of various types of cybersecurity attacks.
How to Create a Standard Password Policy
The following is a step-by-step process to create a strong password policy:
Set Password Complexity Requirements
System administrators or IT departments should set password complexity guidelines to ensure strong password creation.
Here are the key password requirements to incorporate into your password policy, aimed at helping users prevent the creation of weak passwords:
- Passwords should be at least ten characters long (Longer is better)
- Users must include uppercase letters, lowercase letters, and special characters in passwords
- Including misspelled words is a good tactic for creating complex passwords
- Take into account not only the use of different character types but also the need to avoid common substitutions (for example, “Pa$$w0rd!” remains a weak choice).
- Encourage the use of passphrase-based passwords, which are longer and can be easier to remember, such as a line from a favorite song or book, with modifications to incorporate complexity.
Brute force attacks and dictionary attacks can crack simple passwords. So your password policy must have complexity requirements to encourage users to create hacker-proof passwords.
Create a Password Deny List
In addition to having what users should do, your password policy should also state things users must avoid when creating passwords.
A password deny list can include the following:
- Person-related information such as name, date of birth, place of birth, job title, etc.
- Telephone numbers, house numbers, or street number
- Name of spouse, children, or loved ones
- Reusing the same password on multiple accounts
- Regularly update the deny list with passwords exposed in recent breaches, utilizing resources like “Have I Been Pwned” to stay current.
- Include commonly used passwords by attackers in automated login attempts, even if they’re not personal information but often guessed passwords like “admin” or “password1”.
As a thumb rule, your password policy’s deny list should include any type of personal information or a simple pattern (like QWERTY to 123456).
Set a Password Expiration Period
The primary purpose of establishing a password expiration period is to ensure that hackers cannot determine if the passwords obtained from an old data breach are still valid.
For example, your password is disclosed in a two-month-old data breach incident. And you change your password every month. Hackers will not be able to gain access to your account using that leaked password.
Ideally, the password expiration period should be set to three months. But you can adjust this period, depending on the needs of your business. Also, you should ensure that your employees don’t reuse the same passwords for other accounts.
- Balance security with user convenience by considering the use of longer expiration periods for systems with additional security measures (e.g., accounts protected by multi-factor authentication might have longer expiration periods).
- Implement user-friendly notifications and guides for password changes to encourage compliance without causing frustration.
Enforce Multi-factor Authentication
Multi-factor authentication (MFA) can increase the security of accounts in your business. This is because hackers won’t be able to gain access to accounts even if they get hold of logins and passwords for those accounts.
Therefore, your password policy must make it mandatory for users to implement MFA for all accounts that allow this feature.
- Provide training and resources to ensure users understand the importance of MFA and know how to use it effectively.
- Offer options for MFA methods (e.g., mobile app-based, SMS codes, hardware tokens) to accommodate different user needs and preferences.
Include Account Lockout Threshold
The account lockout threshold allows user accounts to be locked after a specified number of unsuccessful login attempts. This feature safeguards your accounts against Brute Force attacks and dictionary attacks.
Ideally, you can set the account lockout threshold to five failed login attempts. This includes implementing an account lockout period of 15 minutes.
- Implement a progressive increase in lockout duration for repeated lockout triggers to deter attackers while minimizing inconvenience for legitimate users.
- Offer a secure, user-friendly process for account recovery to reduce the workload on IT support and minimize user downtime.
Have Guidelines on How to Store Passwords
Do you know that 55 percent of employees save passwords in sticky notes? How your employees store passwords impacts password security.
Storing passwords in email, note app on a phone, paper notes, and documents on a computer is a bad practice. Doing so weakens the security of passwords, even if the passwords are long and complex.
Therefore, your password security policy must include clear guidelines for storing passwords securely. One way to do it is to use a password manager, which keeps your password encrypted and stored securely behind the master password.
Though most browsers these days have a feature to store passwords, using a password manager to store passwords is a more secure option. A password manager also offers secure ways to share passwords among different users.
- Recommend and, if possible, provide access to enterprise-grade password managers for secure password storage and sharing.
- Educate users on the risks associated with insecure password storage methods and the benefits of using a password manager.
Set Consequences for Policy Violators
You have created a password security policy to secure computers and online accounts. So everyone should follow it religiously. Setting some consequences for those who frequently violate the policy can be a good idea to encourage all users to abide by the password policy,
However, you should devise creative ways to make password policy violators feel they have made mistakes. Any harsh punishment can turn them into an inside threat.
Provide policy violators with more awareness training sessions and encourage them to follow the password policy. But if someone repeatedly makes mistakes despite many warnings, letting them go can be the best option, as they’re risking your business.
- Develop a tiered response to policy violations that includes education and retraining for first-time violations and escalates for repeated non-compliance.
- Incorporate a feedback mechanism for employees to report difficulties in adhering to the policy, allowing for adjustments and accommodations.
Update Your Password Policy Regularly
Your password policy should not be something set in stone. Instead, you should review your password policy from time to time and check if it is successful:
- Ensuring that users create long, complex passwords
- Preventing users from creating new passwords that are easy to hack
- Encouraging users to change passwords frequently, as recommended in the policy
- Preventing users from using the same password for multiple accounts
- Schedule regular reviews of the password policy in response to emerging threats and advancements in password security practices.
- Involve users in the review process to gain insights into practical challenges and perceptions, ensuring the policy remains both effective and user-friendly.
Adjusting your password policy based on insights gained from regular password audits enables you to develop a strong password policy that improves password security within your business.
Password Policy Best Practices
The following are the best practices to maximize the success of your password policy:
Have an Easy-to-access Password Policy
A comprehensive password policy is essential, but its effectiveness lies in its accessibility and user-friendliness.
Users should find the guidelines easy to understand and follow, with clear delineations between critical sections like those for generating passwords and safely storing them.
By offering both a printed guide and a digital version, you cater to individual preferences and needs, ensuring everyone, regardless of their tech-savvy, can refer to the policy at any given time.
Adopt a Password Management System
In today’s interconnected digital world, an individual is often juggling multiple accounts, leading to potential password fatigue. The challenge of creating and remembering unique passwords for every account can be daunting.
By integrating a robust password management system into your organization’s digital infrastructure, employees can bypass this challenge.
These systems not only auto-generate strong passwords but store them securely, reducing the chances of breaches. Making the adoption of such systems mandatory significantly boosts an organization’s cybersecurity posture.
Forbid Insecure Password Sharing
Password sharing, while convenient for collaborative projects, can become a significant security loophole if not managed correctly.
Often, employees might resort to insecure sharing methods, such as sending passwords through easily intercepted channels like emails or text messages.
Promoting secure sharing methods is essential. Many leading password managers offer features that enable encrypted password sharing, allowing team members to share access without jeopardizing security.
Implement Login Time Restrictions
Unrestricted access to organizational systems is akin to leaving the front door unlocked. Employees should be conditioned to log in only when they’re actively using certain accounts or systems and to promptly log out afterward.
This minimizes the window of opportunity for unauthorized access, especially in scenarios where a workstation might be left unattended. A stringent password policy will reinforce the importance of this practice, highlighting the risks of prolonged, unnecessary logins.
Do Regular Password Audits
Simply having a password policy isn’t enough; its real-world effectiveness needs to be gauged regularly. Through systematic password audits, an organization can assess employee adherence levels and the policy’s overall efficiency.
These audits serve a dual purpose: they help pinpoint potential vulnerabilities, and they offer insights into areas where the policy might need revisions or updates. This proactive approach ensures that the organization’s cybersecurity measures evolve in tandem with emerging threats.
Password Policy Do’s and Don’ts
| Do’s | Don’ts |
|---|---|
| Create passwords with at least ten characters | Use personal information like name, DOB, job title |
| Include uppercase, lowercase letters, & special characters | Use easily guessed patterns like QWERTY or 123456 |
| Use misspelled words for complexity | Reuse the same password on multiple accounts |
| Set a password expiration period | Store passwords in emails, note apps, or sticky notes |
| Enforce Multi-factor Authentication (MFA) | Share passwords via text, email, or instant messages |
| Use a password manager for secure storage | Keep systems logged in when not in use |
| Update your password policy regularly | Ignore password policy guidelines |
What Are the NIST Password Guidelines?
The National Institute of Standards and Technology (NIST) guidelines have evolved over the years to reflect a more user-centric approach. Among their recommendations, users should create passwords that are a minimum of eight characters in length.
Instead of forcing users to incorporate complicated symbols and characters, NIST emphasizes password length over arbitrary complexity. They advise against mandatory periodic password changes unless there’s evidence of a breach.
NIST also suggests allowing the ‘show password’ option to help users avoid mistakes when entering their password. Moreover, they highly recommend implementing two-factor or multi-factor authentication to add an extra layer of security.
Are Complex Passwords As Important as Minimum Password Length?
While complexity in passwords (such as including symbols, numbers, and both uppercase and lowercase letters) certainly helps against brute-force attacks, recent trends in cybersecurity suggest that length is a more critical factor.
A longer password naturally increases the total number of potential combinations, making it exponentially harder to crack. However, an undue emphasis on complexity often results in users resorting to predictable patterns or writing passwords down.
If feasible, users should be encouraged to use longer passphrases that are easy to remember but hard for automated systems to guess. When using a password manager, which takes the burden of memory off the user, combining both length and complexity is ideal.
How Often Should Passwords Be Changed?
Conventional wisdom once dictated that regular password changes (e.g., every 60 or 90 days) were essential. However, NIST’s revised guidelines suggest avoiding routine password changes unless there’s a specific reason, like a suspected security breach.
Changing passwords too frequently can result in weaker passwords, as users may choose slight, predictable variations of their old passwords or even reuse them across different platforms.
Nonetheless, it’s crucial to be proactive. Using password managers with breach notification capabilities can alert users if their passwords are compromised, prompting timely changes.
Should Small Businesses Use a Password Manager?
Absolutely. Cybersecurity should never be an afterthought, even for small businesses. Password managers provide many advantages, including the ability to generate strong, unique passwords for every account and securely store them in encrypted vaults.
Furthermore, they facilitate secure password sharing, which is especially useful in collaborative environments. By centralizing password management, businesses can maintain tighter control over access to sensitive information, thereby mitigating risks.
What Is the Ideal Password Policy?
The ultimate password policy should strike a balance between user convenience and robust security. It would emphasize the creation of long, unique passwords or passphrases, ideally without forcing arbitrary complexity rules.
Secure storage practices, such as using encrypted databases or reliable password managers, are essential. Promoting the use of unique passwords for each account helps ensure that a breach on one platform does not compromise others.
Regular monitoring for breaches and compromised passwords, paired with an understanding of when (and when not) to change passwords, can round out a comprehensive, effective policy.
YOU MIGHT ALSO LIKE:
Image: Envato Elements