Five Tips to a Safer and Stronger Password Policy

One of the questions that I am asked weekly is: “What are a few tips that you would share for creating/enforcing a better password policy?” The question is very generic, yet very complex! Some people are referring to what should they change their password policy to so that they are not hacked. Other people are referring to what security measures should they follow to keep their network safe. There is no easy, one size fits all password policy. Many companies we work with have compliance audits (NERC, PCI, HIPAA, SOX, NIST, etc.) that they must abide by. Many of the compliance audits require a certain amount of characters, a certain amount of character types (special, numeric, lower case, and upper case), as well as numerous other requirements. Besides any necessary compliance requirements, I always recommend having a password policy that requires passwords greater than 14 characters, segments your end-users with different password policies, and having tools in place to effectively enforce your password policy and disable any dormant accounts.

[Read this post here for the reasoning behind having a password greater than 14 characters.]

The reason why I suggest to segment your end users is due to the fact that not everyone in the company has access to sensitive data. The IT administrators and C-Suite employees should have a very restrictive password policy requirements since they may have access to the entire network. However, the front desk personnel may only have generic information on their computer and doesn’t need to be burdened with creating a 25+ character password with all 4 character types. Leave that type of password policy for the administrators.

Below are 5 quick tips that I’d recommend to all companies who use passwords:

five-tips-to-a-safer-and-stronger-password-policy

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.