Top 5 Password Policy MistakesSuzanne Peck
Every day when I speak to various members of IT departments that are interested in the nFront Password Filter, there are a few common topics that we speak about during our conversations. First, he or she will mention that they have a written password policy that every employee is instructed to follow. They will further mention that they educate their users to make smart password choices, and they have periodic meetings and emails sent to their employees that go over the importance of IT security.
They hope that having a written password policy is enough, but they know by the reports they get through penetration tests that their employees are not following the password policy as instructed. This is one of many common password policy mistakes. We think that all employees will follow the password policy we create. Instead, a Windows based password filter is needed to ensure that employees are making smart password choices and keeping the network secure.
The second most common topic that we converse about is the optimal length of a password. There are plenty of articles that you can read on Google that will range anywhere from 8 characters being safe to having a minimum of 15. Who is to trust? On most articles, it is mainly opinion based due to their personal choices and beliefs. IT Administrators should instruct their users to maintain a password of 15 characters or more. The reason behind this statement has to do with the way a password is stored.
The last common topic that I’ll discuss ties in multiple different password policy mistakes. IT Administrators are afraid to make a strict password policy, but feel that “the stricter the password policy, the better the password policy.” A password policy needs to be strict… to an extent. Requiring 30+ characters and all 4 character sets is too strict and will cause too many headaches.