Recently a discussion on Spiceworks induced me to think about password policy, how we should approach it and what are the best practices. I summarized IT Pros’ comments and hereby I suggest my point of view on how password policy should be organized.
Managing access to any system usually implies a dilemma between security and convenience. Security tends to an at least two-stage authorization, long passwords, short password expiration period, high complexity, and a user’s brain as a storage. Convenience tends to just a “click to access” option without any credentials to enter. I summarized the topic answers and came up with the following compromise between security and convenience:
1. Password length, complexity and expiration period are tied with each other, and it is important to find balance between them. All in all, passwords shouldn’t be too short but also shouldn’t be too complex, so a user can keep a password in his head, not on a sticky note on the monitor. Be sure that your password consists of at least eight symbols, it is a minimum requirement for a secure password, the longer the password the less complexity it should apply, for eight symbol password complexity must contain capital and small letters, numbers and specific symbols. And if you have a 16 symbol password, specific symbols are not necessary, in this case try to create passwords that are easy to remember. The best practice for expiration period is 90 days: it forces users to change passwords every year quarter, which is pretty convenient.
2. The second thing about passwords is password history and account lockout policy. The main goal of password history is not allowing a user to have, for example, two passwords which will replace each other every time. Enforce password history to at least four passwords and make users create new password every time they need to change the old one. Account lockout policy is needed to disable brute force attacks on your user’s accounts, yes it can be frustrating for users because when they change passwords they can face difficulties with other systems, like mobile devices that still store their old password and cause account lockout, but this difficulties should be handled by IT personnel, they have all the tools for that.
3. So now you know, how to create a good password policy. But how do you convince your management, that you actually need it? The main argument is ensuring data security integrity and confidentiality of your business information in order to prevent critical data losses, scandals, financial recompenses or other undesirable consequences. Meeting requirements of compliance standards (PCI, HIPAA, SOX, etc) is yet another rationale.
So this is the main points of how to create a good password policy, may be you have your suggestion of how to do that, please share below in the comments to this blog post.