A Wizard will lock his knowledge behind complex incantations and spells, a cyber Wizard will use a good password. A password management policy has become a vital tool for organizations seeking to secure their information environment.
Thankfully it doesn’t take a wizard to implement a well-designed password management policy.
Weak or reused passwords are the cyberattacker’s best friend, with weak or stolen credentials being the number one reason for data breaches. Even in low admin-level accounts, attackers can often exploit weak passwords to gain access to the accounts which can act as a stepping stone to higher-level accounts.
What is Password Management Policy
A password management policy is a detailed document on the way the credentials of employees, contractors, and others are to be used, disabled, or deleted. This is a bit of an oversimplification. In this section we will take you through a breakdown of the policy’s purpose, and some general requirements that are not industry-specific.
The purpose of the policy should be outlined at the beginning of the document. It can be specific to the company or it can be more general, for example, it could be a measure to increase the security environment within the organization through policy implementation (general), or a requirement laid out by a regulation that the whole industry must adhere to (specific).
The purpose is entirely dependent on the organization itself. Ensuring the purpose is something meaningful, makes it easy for the staff to follow. The last thing you want is a useless policy that decreases the morale of the workforce.
Most password management policies have some general guidelines that can be applied to a wide array of organizations and industries. In this section, we will discuss some of the general requirements that are applicable to most policies.
RSI Security always advises you to hire a specialist if you are unsure of how to design a password management policy that might require compliance measures, or any other specific cybersecurity-related activity.
- Ban the use of dictionary words
The organization should avoid or outright ban the use of any dictionary word. Dictionary words include any words with meanings like “apple” or “Wizard”. The reason for this is that words are easier to guess for attackers. When they use a brute-force attack, the program will generally guess words or sequences first before moving on to more complex character strings.
- Don’t use sequences
In the same vein as dictionary words, the policy should include the ban of sequential phrases. Sequences in a password may look like “123” or “abc”. Like dictionary words, these sequences are easy to guess, especially from a brute-force attack; also “12345678” and “qwerty” are some of the world’s most common passwords.
- Limit Login Attempts
A simple way to stop brute-force attacks is to limit the login attempts for user accounts. Limiting the login attempts to three, after 2 failed attempts, is a standard that many organizations employ, with a 24-hour lock-out before the account can be reactivated.
- Complex password character requirements
The organization should only allow complex passwords. The passwords should include at least one uppercase alpha, one numeric, and one special character with a minimum of 8 characters. Passwords are quickly becoming obsolete, but there are no good alternatives at the moment, so to avoid breaches, the organization should be using complex passwords.
It is also best not to use passwords that are personal to the user however complex they may be. This is to avoid any social engineering attacks, that may guess the user’s password by guessing elements of their personal life.
- Setting minimum and maximum password age
Setting an age limit on password ensures that they are cycled out every so often, this means old information doesn’t become a liability. Most organizations will use a standard of 60-90 days for maximum password age.
The minimum password age is so account holders don’t simply change the password and then revert it back to the old one immediately after. This also limits reused passwords.
- Multi-factor Authentication (MFA)
This requirement is quickly becoming the norm, even for private individuals. Organizations should be using MFA, or at least two-factor authentication (2FA), for all accounts. The simpler 2FA involves one more step before a successful login attempt this could be:
- A random number generator: usually an app or device that generates a random string of numbers that must be verified when logging into an account.
- A secondary passphrase: a longer sentence phrase that is only known by the user, can also be voice-activated.
- Biometric: something like voice verification, face verification, or fingerprint verification.
Multi-factor authentication is the same as 2FA but involves more than 1 form of verification it usually targets:
- Something you know: a secondary passphrase, or random number generator
- Somewhere you are: GPS location, like the address of the office building.
- Something you are: Biometric data, like voice verification, fingerprint verification.
- No Credential Sharing
The only way two people can keep a secret is if one is dead. The fewer people know each other’s login credentials, the fewer attack vectors are available to malicious players.
The organizational policy should prohibit any user from sharing login credentials with any other user on the network. All login and password details should be unique and belong to one user only.
- Limit Login Time
Make sure terminals have a limit to inactivity, don’t enable indefinite sessions. A good rule of thumb is about 5-10 mins of inactivity, then the system will automatically log off.
Password Management Tools
As part of the policy package, the document can contain requirements to implement password management tools. These tools generally make light work of traditional password management methods, and your IT department will love you for it.
Password Management Software For Business
Password managers are not a new thing; many browsers have some sort of inbuilt password memorization tool that individuals have been using for some time. IT service providers have taken that a step further and developed reliable password management tools, with single-sign-on features that manage multiple business accounts from one dashboard, available to all employees.
These tools are becoming more sought after; organizations realize the potential threat of lost or stolen credentials. Check out this article on our blog for our top picks for password managers for business.
Password Strength Testers
Another tool that an organization might find useful is strength testers. As the name suggests, a strength tester will calculate the overall strength score of the password. The strength is decided by how long it would take a program to crack the said password with longer times dictating better strength.
Why Implement a Password Management Policy
A policy is only as good as its results. There is little point in implementing a system that no one will follow or has no tangible benefit. This next section will explore some of the benefits that come with a good password management policy.
First Line of Defence
The first, and most obvious benefit, is the cyber defense application. With lost or stolen credentials being the number one reason for data breaches, it is clear that password management should be the first thing the organization needs to review.
With a robust policy and good enforcement measures, associated risk should fall dramatically. It is best to couple policy implementation with good staff training techniques, ensuring all parties are on the same page and more importantly,onboard with promoting good security. Which brings us the next point.
Fear of the unknown often leads us down a path of unpredictable, or uncharacteristic behaviour. Implementing a password management policy that has a clear purpose and instructions means you can avoid the ire of disgruntled employees when they inevitably have to change their outdated passwords due to a data breach.
As creatures of habit, people are more comfortable when a routine is engendered into their daily lives, especially in the office. With the policy, it is possible to satisfy both the organization’s security needs and the morale of the staff. On top of that, the policy has the staff play an active role in the organization’s security architecture. This active involvement helps create the security culture that hackers cannot easily breach.
As a product of good staff morale, a password management policy will inevitably increase staff productivity. After the initial road bumps, that are to be expected when introducing a new policy, the time-saving aspect of a password management policy will free up valuable resources for the IT and other departments involved.
IT Cost Reductions
Dealing with password changes and staff accounts can sap productivity from the IT department. A password management policy can streamline the processes and place most of the responsibility on the account user.
This process means the resources of the IT department can be used for proactive protection against more advanced threats.
Password Management is quickly becoming a must-do for organizations worldwide. More businesses have caught on to the glaring vulnerability associated with weak passwords, with loss of stolen credentials being the number one cause of data breaches worldwide.
In this article we examined a basic password management policy example, covering some of the general requirements for a robust policy that is not industry or compliance specific. These elements are:
- Prohibiting the use of dictionary words
- Prohibiting the use of sequential phrases
- Limiting login attempts
- Complex password requirements (alpha, numeric, special character)
- Setting minimum and maximum password age
- Multi-factor Authentication (MFA)
- Prohibiting users from sharing credentials
- Limiting login time
There are also added benefits to implementing a password management policy that goes beyond the security that we covered in this article:
- Increasing staff morale by strengthening the overall security culture of the organization, giving the account user more autonomy over the use of their account.
- Increasing staff productivity by limiting the involvement of the IT department, where their resources and time can be used for other security-related activities.
- Finally, reducing costs in the IT department as resources and time is freed up.
Password management policy does not have to be a headache, with RSI Security top class managed IT security services, we can make it happen. Get in contact with us today and book a free consultation.