The strength of user passwords sets the bar for the strength of an organization's defenses against "bad guys" gaining access to valuable organizational resources. For that reason alone, it is of paramount importance that a best practice password policy is implemented and enforced.
Following are a few guidelines to consider when thinking about password and access policy for your organization:
- Require STRONG passwords and enforce their use with technology. Educate your users so they understand that strong doesn’t have to mean difficult. Encourage them to use words that mean something to them (but not the names of family or pets) and use a technique of replacing certain letters with symbols or numbers so the user can, more easily, remember the password. Mixing case is also important. The key is to find a technique and always use that technique. An example might be to always capitalize the first letter and last letter of the word, use "@" instead of "a" and "0" instead of "o" (e.g. P@ssw0rD)
- Treat your passwords like you treat your underwear; change them often and don’t leave them lying around. REQUIRE regular change. There is plenty of debate around the effectiveness of requiring regular password changes but requiring changes every 90 to 120 days, in theory, should result in a more secure environment. The best example of why this might be effective is that a change thwarts the “bad guy” in a situation where an account has been compromised and is being used to snoop and steal data.
- Bigger IS better. The longer the password, the likelihood that it can be cracked is significantly reduced. A minimum of eight characters is best practice but if you can get away with it push for strings in excess of 10 characters.
- Implement a synchronization system so that a password change in one place (e.g. Active Directory) is captured and pushed to all other systems within the organization. This improves user satisfaction and increases security by ensuring that passwords are changed on a regular basis in all systems, even if some of those systems are infrequently logged into by their users.
- Require two-factor authentication when accessing very sensitive data or when accessing data from off-site. Two-factor does NOT have to equal expensive. There are USB solutions, for example, that can be implemented and are just as effective as more expensive options. This combined with an effective password strategy can greatly increase security because now it’s more than what you know, what you have becomes just as important.
- Educate, Educate, Educate! Make sure your user community understands that their passwords are the organization’s primary defense against valuable data loss. Passwords should never be written down nor should the password ever be a word that can be found in the dictionary (see bullet one). Users should be trained to notify the IT department (or the security team, if one exists) if they suspect that their account has been compromised. Don't forget the help-desk team either. Help-desk staff should be educated to avoid social-engineering techniques that are used every single day to acquire passwords by “tricking” support staff into resetting an account’s password and sharing that password with someone other than the account owner.
For more information on implementing effective password and access policies and automated mechanisms to manage them, please submit your contact information and one of our sales representatives will contact you.
Comments