Does your employee handbook have a password policy?

Written By Alex Santos

What Is a Password Policy?

Data is at the heart of every modern organization, and passwords are a key component to accessing that data. A password policy is a crucial component of ensuring cybersecurity within your business, and your HR Consultant or team should implement one in collaboratipon with your IT team. It comprises a set of guidelines aimed at guiding everyone in the company to create robust passwords and utilize them effectively, thereby enhancing both computer and online security.

Importance of Password Policies

Implementing a strong password policy is critical for several reasons:

1. Preventing Password Reuse: Password policies discourage the unsafe practice of reusing passwords across multiple accounts, a common security blunder.

2. Multi-factor Authentication (MFA): Enforcing MFA through a robust password policy helps minimize various security risks, adding an extra layer of protection against unauthorized access.

3. Creating Complex Passwords: By cultivating a culture of using complex passwords, the policy safeguards against brute force attacks and other password-related security threats.

4. Building Trust: A strong password policy signals to customers and vendors that your business is dedicated to safeguarding sensitive information, fostering trust in your cybersecurity measures as well as in your organization.

5. Cultivating Cybersecurity Culture: In the contemporary landscape, where small businesses are increasingly targeted by cyber threats, a password policy contributes to building a cybersecurity culture, a necessity in today's world.

How to Create a Standard Password Policy

1. Set Password Complexity Requirements

System administrators or IT departments should establish clear guidelines for password complexity. Key requirements include:

- Passwords should be a minimum of ten characters long.

- Inclusion of uppercase letters, lowercase letters, and special characters.

- Avoidance of common substitutions for increased complexity.

2. Create a Password Deny List

In addition to specifying what users should do, the password policy should outline prohibitions. The deny list includes:

- Avoiding person-related information such as names, birthdates, or job titles.

- Prohibiting the use of easily guessable patterns and common passwords.

3. Set a Password Expiration Period

Implementing a password expiration period enhances security by preventing the use of leaked passwords. A suggested period is three months, but adjustments can be made based on business needs. Many businesses use 120 days as a standard.

4. Enforce Multi-factor Authentication

MFA adds an extra layer of security, rendering stolen login credentials insufficient for unauthorized access. The password policy should mandate MFA for all applicable accounts.

5. Include Account Lockout Threshold

Setting an account lockout threshold after a specified number of failed login attempts protects against brute force attacks. A recommended threshold is five failed attempts with a 15-minute lockout period.

6. Provide Guidelines on How to Store Passwords

Guidelines should discourage insecure password storage practices, such as using sticky notes or storing passwords in emails. Encouraging the use of password managers for secure storage is recommended.

7. Set Consequences for Policy Violators

While encouraging compliance, the password policy should establish consequences for repeated violations. Tiered responses, including education and retraining, should be in place.

8. Update Your Password Policy Regularly

Regular reviews and updates of the password policy ensure its ongoing effectiveness, ass do password policy compliance audits. Periodic evaluations help in adapting the policy to emerging threats and evolving security practices.

Password Policy Best Practices

1. Have an Easy-to-access Password Policy

The effectiveness of a comprehensive password policy lies in its accessibility and user-friendliness. Clear guidelines, available in both print and digital formats, cater to various user preferences. Highlight the password policy frequently on your intranet, Slack, and other internal communication platforms.

2. Adopt a Password Management System

Integration of a password management system helps alleviate the challenge of creating and remembering unique passwords. Mandatory adoption of these systems enhances overall cybersecurity. We recommend the organization select and adopt one that your IT team feels best meets your needs.

3. Forbid Insecure Password Sharing

Encouraging secure methods of password sharing, such as encrypted password sharing through reputable password managers, prevents security loopholes.

4. Implement Login Time Restrictions

Conditioning employees to log in only when necessary reduces the window of opportunity for unauthorized access. A stringent password policy reinforces the importance of timely logouts.

5. Do Regular Password Audits

Regular password audits gauge the real-world effectiveness of the policy, identifying vulnerabilities and areas for improvement. Proactive measures, informed by audit insights, ensure evolving cybersecurity measures.

Password Policy Do's and Don'ts

Do's:

  • Create passwords with at least ten characters.

  • Include uppercase, lowercase letters, and special characters.

  • Use misspelled words for complexity.

  • Set a password expiration period.

  • Enforce Multi-factor Authentication (MFA).

  • Use a password manager for secure storage.

  • Update your password policy regularly.

Don'ts:

  • Use personal information like name, DOB, job title.

  • Use easily guessed patterns like QWERTY or 123456.

  • Reuse the same password on multiple accounts.

  • Store passwords in emails, note apps, or sticky notes.

  • Share passwords via text, email, or instant messages.

  • Keep systems logged in when not in use.

  • Ignore password policy guidelines.

What Are the NIST Password Guidelines?

The National Institute of Standards and Technology (NIST) recommends a minimum password length of eight characters. They emphasize password length over arbitrary complexity, discourage routine password changes, and advocate for the implementation of two-factor or multi-factor authentication for added security.

Are Complex Passwords As Important as Minimum Password Length?

While complexity aids against brute-force attacks, recent trends suggest that length is more critical. A longer password increases potential combinations, making it exponentially harder to crack. Encouraging users to use longer passphrases, combining length and complexity, is ideal, especially when using a password manager.

How Often Should Passwords Be Changed?

NIST suggests avoiding routine password changes unless there's evidence of a breach. Changing passwords too often may lead to weaker passwords. Using password managers with breach notification capabilities helps prompt timely changes when necessary.

Should Small Businesses Use a Password Manager?

Absolutely. Password managers offer benefits even for small businesses, including generating strong, unique passwords and secure storage. They facilitate secure password sharing and centralize password management, enhancing overall cybersecurity.

What Is the Ideal Password Policy?

The ultimate password policy balances user convenience and robust security. It emphasizes creating long, unique passwords or passphrases, secure storage practices, regular monitoring for breaches, and adapting to emerging threats.

Alex Santos
As Managing Member of Collabor8 Learning, my role is to build and execute learning and development strategies for organizations seeking to improve the return they are getting from their training programs. We focus on four core areas: performance analysis, instructional design, e-learning development, and learning management. As a hybrid HR/instructional design consultancy, Collabor8 Learning partners with your team to leverage today's training technologies to increase the productivity of your people. I am a senior human resources and training executive with over 17 years of progressive experience. My work in private industry has focused heavily on the development of learning and development systems that transform employee performance from ordinary, to remarkable. I accomplish this by combining organizational development strategies and tactics to blended learning programs with line of sight alignment to clearly defined performance goals. Additionally, I launched Miami Payroll Center in conjunction with my brother and sister-in-law in 2004 to meet the payroll needs of small to mid-size organizations. Our consultative approach to guiding new entrepreneurs as well as more seasoned business owners in alleviating the pain of payroll processing has created a very successful and growing payroll processor in the market. Specialties: Instructional Systems Design, E-Learning, Learning Management Systems, Payroll, Organizational Development, Employee engagement, HR Strategic Planning, Talent Acquisition & Management, Leadership Development, Coaching & Mentoring, Employment Branding Proposition & Positioning, Workforce Planning, Performance Management, and Leadership Development.
https://www.bynimble.com
Previous

Navigating Employee Health Benefits: Understanding Self-Funded, Level-Funded, and Traditional Group Health Plans
Next

Are you working with a brilliant jerk?