What Makes a Good Password Policy?

People today jealously guard their Facebook passwords for fear of their pranky brother-in-law logging in as them and posting embarrassing status updates. The fact is, smart password practices cost next to nothing and aren’t time consuming. So, what is a “strong password” and how do you make strong passwords that don’t have to be written down on a Post-It or copy/pasted?

Complexity Has to Be Done Right

Password complexity is good, but when ordered to use special characters, most people use one of only 40 or so to strengthen their password (like substituting “1” for the letter i). Complexity works best when it’s random, however. It turns out length is more important than complexity as far as defeating password crackers, so increasing password length to 12 characters can increase password security significantly. This is good news, and it means you don’t have to devise passwords that look like the stand-in comic strip curse words (!%*##$*) from back in the day.

Complexity should mean a case-sensitive combo of letters, numbers, and special characters that’s at least eight characters long. Phrases interrupted by spaces, numbers, or special characters are typically robust, yet easy enough to remember that people aren’t tempted to write them down. Passwords need to be changed regularly too: every 60 days is OK, but every 30 is better.

Don’t Reuse Passwords

This is one case where recycling is bad. Reusing the same password across multiple systems can turn a minor data bleed into a rushing hemorrhage. When an employee’s personal Twitter password is hacked, it’s one thing, but when that Twitter password is the same one he uses across the entire company network, it can turn into a security nightmare. Make sure your end users understand this.

When It’s OK to Lie

Urge people to lie on the answers to their password reset questions. A little superficial research can yield a mother’s maiden name or pet’s name.  It’s better for people to pick a reset answer for each website consisting of an unrelated root phrase that’s meaningful to the user, but varied slightly for each site.

Passwords and Mobile Devices

A lost or stolen mobile device can be a huge headache for your organization. Require staff to use a device lock feature that times out after a couple of minutes of inactivity. If your organization has a BYOD policy, don’t let employees bring jailbroken iPhones or Androids, because these bring increased security risks. You should also have a policy that users must sign out and exit business apps when they’re not using them rather than keeping them running in the background. It’s a hassle, but it can save your organization from bigger problems later.

Social Engineering

Keep in mind that you can have the best password policy in the world, but even with mature authentication systems and lockouts for failed attempts, the weak link is still the end user’s trusting nature. Giving a strong, complex password to someone engaging in social engineering can undo all your hard work in an instant. Educating every end user about social engineering attacks should be part of your organization’s password strategy.

Here’s a handy list that can take a risky password policy and strengthen in considerably without spending much time or money:

1. Increase minimum length of end user passwords to 12 characters
2. Encourage end users to answer reset questions untruthfully
3. Keep software up-to-date to ensure you have the latest security fixes
4. Bust users who use plain text passwords on your network
5. Educate end users on creating strong passwords
6. Educate end users on social engineering and how to avoid being victims