Does your employee handbook have a password policy?
What Is a Password Policy?
Data is at the heart of every modern organization, and passwords are a key component to accessing that data. A password policy is a crucial component of ensuring cybersecurity within your business, and your HR Consultant or team should implement one in collaboratipon with your IT team. It comprises a set of guidelines aimed at guiding everyone in the company to create robust passwords and utilize them effectively, thereby enhancing both computer and online security.
Importance of Password Policies
Implementing a strong password policy is critical for several reasons:
1. Preventing Password Reuse: Password policies discourage the unsafe practice of reusing passwords across multiple accounts, a common security blunder.
2. Multi-factor Authentication (MFA): Enforcing MFA through a robust password policy helps minimize various security risks, adding an extra layer of protection against unauthorized access.
3. Creating Complex Passwords: By cultivating a culture of using complex passwords, the policy safeguards against brute force attacks and other password-related security threats.
4. Building Trust: A strong password policy signals to customers and vendors that your business is dedicated to safeguarding sensitive information, fostering trust in your cybersecurity measures as well as in your organization.
5. Cultivating Cybersecurity Culture: In the contemporary landscape, where small businesses are increasingly targeted by cyber threats, a password policy contributes to building a cybersecurity culture, a necessity in today's world.
How to Create a Standard Password Policy
1. Set Password Complexity Requirements
System administrators or IT departments should establish clear guidelines for password complexity. Key requirements include:
- Passwords should be a minimum of ten characters long.
- Inclusion of uppercase letters, lowercase letters, and special characters.
- Avoidance of common substitutions for increased complexity.
2. Create a Password Deny List
In addition to specifying what users should do, the password policy should outline prohibitions. The deny list includes:
- Avoiding person-related information such as names, birthdates, or job titles.
- Prohibiting the use of easily guessable patterns and common passwords.
3. Set a Password Expiration Period
Implementing a password expiration period enhances security by preventing the use of leaked passwords. A suggested period is three months, but adjustments can be made based on business needs. Many businesses use 120 days as a standard.
4. Enforce Multi-factor Authentication
MFA adds an extra layer of security, rendering stolen login credentials insufficient for unauthorized access. The password policy should mandate MFA for all applicable accounts.
5. Include Account Lockout Threshold
Setting an account lockout threshold after a specified number of failed login attempts protects against brute force attacks. A recommended threshold is five failed attempts with a 15-minute lockout period.
6. Provide Guidelines on How to Store Passwords
Guidelines should discourage insecure password storage practices, such as using sticky notes or storing passwords in emails. Encouraging the use of password managers for secure storage is recommended.
7. Set Consequences for Policy Violators
While encouraging compliance, the password policy should establish consequences for repeated violations. Tiered responses, including education and retraining, should be in place.
8. Update Your Password Policy Regularly
Regular reviews and updates of the password policy ensure its ongoing effectiveness, ass do password policy compliance audits. Periodic evaluations help in adapting the policy to emerging threats and evolving security practices.
Password Policy Best Practices
1. Have an Easy-to-access Password Policy
The effectiveness of a comprehensive password policy lies in its accessibility and user-friendliness. Clear guidelines, available in both print and digital formats, cater to various user preferences. Highlight the password policy frequently on your intranet, Slack, and other internal communication platforms.
2. Adopt a Password Management System
Integration of a password management system helps alleviate the challenge of creating and remembering unique passwords. Mandatory adoption of these systems enhances overall cybersecurity. We recommend the organization select and adopt one that your IT team feels best meets your needs.
3. Forbid Insecure Password Sharing
Encouraging secure methods of password sharing, such as encrypted password sharing through reputable password managers, prevents security loopholes.
4. Implement Login Time Restrictions
Conditioning employees to log in only when necessary reduces the window of opportunity for unauthorized access. A stringent password policy reinforces the importance of timely logouts.
5. Do Regular Password Audits
Regular password audits gauge the real-world effectiveness of the policy, identifying vulnerabilities and areas for improvement. Proactive measures, informed by audit insights, ensure evolving cybersecurity measures.
Password Policy Do's and Don'ts
Do's:
Create passwords with at least ten characters.
Include uppercase, lowercase letters, and special characters.
Use misspelled words for complexity.
Set a password expiration period.
Enforce Multi-factor Authentication (MFA).
Use a password manager for secure storage.
Update your password policy regularly.
Don'ts:
Use personal information like name, DOB, job title.
Use easily guessed patterns like QWERTY or 123456.
Reuse the same password on multiple accounts.
Store passwords in emails, note apps, or sticky notes.
Share passwords via text, email, or instant messages.
Keep systems logged in when not in use.
Ignore password policy guidelines.
What Are the NIST Password Guidelines?
The National Institute of Standards and Technology (NIST) recommends a minimum password length of eight characters. They emphasize password length over arbitrary complexity, discourage routine password changes, and advocate for the implementation of two-factor or multi-factor authentication for added security.
Are Complex Passwords As Important as Minimum Password Length?
While complexity aids against brute-force attacks, recent trends suggest that length is more critical. A longer password increases potential combinations, making it exponentially harder to crack. Encouraging users to use longer passphrases, combining length and complexity, is ideal, especially when using a password manager.
How Often Should Passwords Be Changed?
NIST suggests avoiding routine password changes unless there's evidence of a breach. Changing passwords too often may lead to weaker passwords. Using password managers with breach notification capabilities helps prompt timely changes when necessary.
Should Small Businesses Use a Password Manager?
Absolutely. Password managers offer benefits even for small businesses, including generating strong, unique passwords and secure storage. They facilitate secure password sharing and centralize password management, enhancing overall cybersecurity.
What Is the Ideal Password Policy?
The ultimate password policy balances user convenience and robust security. It emphasizes creating long, unique passwords or passphrases, secure storage practices, regular monitoring for breaches, and adapting to emerging threats.