If your organization hasn’t taken a good look at password security lately, you should. Your corporate data is only as secure as the weakest password. Anyone that works at a Fortune 1000 company can tell you that the strength of their passwords are managed, along with the frequency of changing them. This article is designed to provide you with an overview of best practices.
Most password policies can be automated using a domain controlled server. Once established, your policies will be enforced without any human intervention. BizTek is happy to assist you in this process.
Policies should require a minimum password length (eight characters is typical but may not be appropriate).
Policies should have requirements on what type of password a user can choose, such as:
- The use of both upper- and lower-case letters (case sensitivity)
- Inclusion of one or more numerical digits
- Inclusion of special characters, e.g. @, #, $
- Prohibition of words found in a dictionary or the user’s personal information
- Prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
- Prohibition of use of the organization name or an abbreviation
Policies can require users to change passwords periodically, e.g. every 90 or 180 days. Systems that implement such policies should prevent users from picking a password too close to a previous selection.
Unlike computers, human cannot easily delete one memory and replace it with another. Consequently changing a memorized password is very difficult, and most users resort to choosing a password that is easy to guess.
If choosing between the two, requiring a very strong password and not requiring that it be changed regularly is often better. However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have unauthorized access to your network for an indefinite period of time.
Common Password Practice
Password policies often include advice on proper password management such as:
- Never share a computer account
- Never use the same password for more than one account
- Never tell a password to anyone, including people who claim to be from customer service or security
- Never write down a password
- Never communicate a password by telephone, e-mail, text or instant messaging
- Always log off before leaving a computer unattended
- Change passwords whenever there is suspicion that they may have been compromised
- Operating system password and application passwords should be different
- Passwords should be alpha-numeric and include a symbol
Strategies can be utilized for passwords that can be easily remembered, while meeting the strength requirements. Symbols and numbers can be replaced for letters in memorable words, e.g. Gun$m0ke, An!ma1Hou$3. Or phrases can be utilized, i.e. “A penny saved is a penny earned” = Apsiape. And combinations of both, i.e. Ap$!ap3.