From the DATASHIELD Resource Library:
Learn some of the basic considerations when establishing a strong password policy for your organization. Find out some of the best practices and industry standards when it comes to user access and a password policy framework.
Oct 30, 2019
Most places of business require that their employees access their facilities by using a key or keycard. In many ways, passwords are the keys by which employees access their workplace network. With physical office keys or card readers, proper policies and procedures must be implemented to ensure that unauthorized access does not occur. The same holds true with successful password policies for organizations.
Cybersecurity as a topic of discussion is growing more popular each day due to the increasing number of attacks and breaches that occur. Companies are not the only victims, but entire cities as well. Such attacks often begin by a cyber criminal stealing passwords from unsuspecting or untrained employees. Typically, a thief only needs a single opening to access everything of value in a place of business. Similarly, once a hacker has control of a single key (or log in credential), they can then exploit that entry point to access a company’s entire network. This is especially true and escalated if this access gained is to one of the system administrator’s accounts.
List below are 9 key dimensions of a good password security framework that you can implement in your organization.
This may seem basic. But simple passwords are easily compromised. Enforcing complexity requirements is a good first step in stopping brute force hacking attempts. You can require that all users create passwords that do not reference the user’s legal name or username. Robust passwords also utilize combinations of characters, numbers, as well as upper- and lower-case letters.
You can boost the robustness of passwords within your organization, by setting a minimum character length. A common practice is a minimum of eight characters. A minimum character length of 14 characters is become a better standard.
Domain administrators’ accounts require greater protection. In such cases, passphrases (with a 15-character minimum length) are easier to remember and type, but harder to gain access to.
For greater protection, it is common to have minimum reset periods. This can also be varied for more critical functions within the organization.
Recycling is good for the environment, but not for your company’s password management! Choosing to enforce the password history requirement will limit how often an old password can be used. Setting minimums, such as the previous 5 passwords not being allowed can help avoid the overuse of “favorite” ones.
Sometimes employees will temporarily change a password and then switch back to a familiar one. Requiring each password to be held for three to seven days eliminates this issue. However, your IT support should be available to change compromised passwords when the minimum age limit isn’t met. Setting a maximum password age limit also helps with network security. Usually, this is set anywhere from 90 days for passwords to 180 days for passphrases.
You will need to track your team’s compliance with the password security policy. An audit will monitor password modifications to ensure compliance and to highlight and correct weak access points.
Your team is likely to forget to comply with the company’s password policy on their own. Send email notifications to remind them to change their passwords before they expire.
We believe on top of all these basic tips you really need to keep track of two elements to develop an effective password security policy for your organization.
Training - It is essential to train everyone on your team on how to establish and maintain strong passwords. Not only should this training be a mandatory part of the on-boarding process for new employees, but for existing employees as well. Your company's IT department (or service provider) will be able to help you set the security requirements to ensure only robust passwords are accepted. Cybersecurity should be a part of your organizational culture to ensure full adoption and application of best practices.
Tools - The second element is the tools that are available to you and your team. As mentioned before, passphrases can be used to boost the complexity requirement. However, it can be difficult to remember unique, robust passwords (or passphrases) for every portal that is accessed. So in such instances, electronic password managers can be worth the investment. Password managers store each user’s passwords for all their websites and enable safe automatic logins. Your passwords are encrypted in a secure virtual vault with a single key, a master password. This master password is the only thing you need to remember for all your websites and portals.
Therefore, the training and tools dimensions work together to help you coordinate your team to become aware of and consistently practice good password security requirements.
Two Factor Authentication - Another item to consider while not covered here is the adoption of Two- Factor Authentication (2FA) to pair with a strong password policy. By implementing 2FA it requires an employee to use an additional device or verification point to validate that they are actually trying to login utilizing a valid password. It is one extra step in helping to create a strong security posture.
Creating and implementing a comprehensive password security policy will help secure your organization’s assets. We believe that it’s far better to take preventative action to prevent and prepare for possible breaches, rather than to expend considerable resources trying to figure out what happened after the fact. At DATASHIELD we offer our premier Cybersecurity Resilience Platform to all our clients. Contact Us today for a customized cybersecurity plan for your organization.