Top Five Password Policy Mistakes

We’ve all done it. You are in a hurry for a lunch meeting and you want to check your email one last time and up pops a friendly, admittedly annoying, reminder that your password is about to expire. You click “OK”, check your email and dash off to lunch.

This charade continues for a few days until finally, you have to change your password. You have thought about this one long and hard (nope) and you have the perfect, most complex (simple) password that is 14 (8) characters long. Your compliance officer would be so happy (mortified) if they only knew.

Does this sound like you, because it sounds like me. Here are five password policy mistakes that we all make that are totally avoidable if we are properly educated.

1-      If I make a policy everyone will follow it.

As much as we all this were true, if you do not have a system in place to ensure password policy compliance there is a good chance that many of your users are using non-compliant and/or weak passwords. This is not only a threat to the user’s workstation, but to the whole network.

2-      Recycling old passwords is fine as long as it has been more than six months.

No way, man! We should never be recycling old passwords. As a wise man once said, “The past is in the past.” –let’s keep it there. Stretch those creative muscles in your brain and use something new and policy compliant.

3-      Requiring at least eight characters makes passwords un-crackable.

Woah! Who told you that? It is true that the longer a password is the more challenging it can be to crack but just because a password is eight characters does not mean it can’t be cracked.

4-      The longer the password the better.

Okay, so I just told you the longer a password is the better- but that doesn’t mean that a long password is the best password. Passphrases are great things, but “I love my dog” is a little bit easier to crack than “J4d*V2l”.

5-      The more requirements a policy has the safer it is.

Sadly, no. The more requirements your policy has the more frustrated users will be and the less likely they will be to follow your policy.

So now what? I have just crushed all your dreams of ever having a good password policy- fear not! I have a solution.

1-      Make sure there is a way to enforce your password policy.

Just because you make a rule doesn’t mean everyone will follow it. Make sure you have a system in place that will enforce your password policy.

2-      Educate users on why it is important to have a strong password (hint: to keep secrets secret).

If users don’t see a reason to have a strong password they will be less likely to create one. Make sure your users know that there are many ways hackers can get into your network and having a strong password is a way to protect the company.

3-      Remind users that using a memorable password that is strong is better than using a crazy password.

Having a password that has a bunch of crazy characters might make it difficult to crack, but if a user can’t remember all their crazy characters then the password is useless. Encourage users to choose passwords that they can remember, but that aren’t so easily guessed.

4-      Make your policy requirements realistic.

Requiring 25 characters with three upper case letters, two numbers, and one special character might make a strong password but it also will make your users frustrated. If you need to require a lengthy password policy try to only make it apply to domain controllers and upper level management, this way you are protecting those that have clearance to the most data.

5-       Check up on users that have not logged on in a while and make sure they have been disabled.

Users on your network that haven’t logged on for an extended period of time are one of the biggest forgotten threats. Make sure to regularly check your network and disable any users that haven’t been in use (we recommend about every quarter).


To learn about products that can help enforce a granular password policy check out

How Inactive Users can be Harming Your Network

I’ve already harped on this a few times in Top Ten Ways and Five Human Habits Hackers Exploit, but we at nFront Security feel that this topic is often overlooked and it can be a huge danger to some companies. People come and go in your company all the time, that is the way business works. Sometimes these people leave to pursue greener pastures and sometimes they leave on not so happy terms. Regardless of the circumstances, inactive users are the perfect vehicle for a hacker to gain access to your network and roam around unnoticed.

Hackers will sometimes look for people, especially upper level executives that have left the company recently and begin their attack. Typically a username simple to guess, the password is where the real work comes in. Even if you have a policy in place it is still possible to crack the password and gain access to the users account. Once a hacker has access to your network they are free to roam around as they please, virtually unnoticed. If you have a policy in place that will disable all inactive accounts then this is not something you should be too worried about. However, my guess is since you are still reading this you don’t have an account disabler in place.

Checking for inactive accounts across all domains is an important part of a strong password policy. Make sure that your team is looking for accounts that have been inactive for a few months and that you ensure that their log on capabilities have been disabled to protect the rest of your network. Administrative accounts are the most vulnerable to this type of hacking so it might be beneficial to check those for inactivity more often if you feel there might be some personnel changes before your set check time.

There are products on the market that can check your domain for user inactivity. Make sure you have allowed for such a product in your password policy budget as this is usually a requirement for most industry regulations and audits. Make sure that when you are purchasing these products that they can search across all servers your organization to show you the last true login of a user. If you have multiple servers that are spread out across the US or internationally and your product is incapable of displaying the last true login of a user, you might end up disabling a user that logged in to the Houston server nine months ago, but logged on to the Atlanta sever yesterday.

For more information on account disabling products check out nFront Security.