What is a Password Policy and How to Create One?

Password security is crucial in preventing data breaches, with more than 80% of hacking-related breaches being caused by password issues. A strong password policy is essential to ensure that everyone in your business uses secure passwords.

So, what exactly is a password policy? It is a set of guidelines that instruct individuals within a company on how to create strong passwords and use them correctly to enhance overall security.

A standard password policy should outline what users need to consider and avoid when creating, changing, storing, or sharing passwords. For example, it can require users to create longer passwords with special characters.

Implementing a strong password policy is important because it helps enforce the use of strong, unique passwords, minimizing security risks. It also encourages the creation of complex passwords that are safe from attacks like brute force and signals to customers and vendors that their passwords are safeguarded.

Creating a standard password policy involves setting password complexity requirements, creating a password deny list, establishing a password expiration period, enforcing multi-factor authentication, and including an account lockout threshold. These measures help ensure that passwords are secure and protected from potential threats. This involves implementing an account lockout period of 15 minutes. Additionally, there should be a progressive increase in lockout duration for repeated triggers to deter attackers and minimize inconvenience for legitimate users. A secure and user-friendly account recovery process should also be offered to reduce IT support workload and minimize user downtime.

Guidelines should be in place on how to store passwords securely, as storing passwords in insecure ways weakens password security. Recommendations include using a password manager for encrypted and secure storage and sharing of passwords. Enterprise-grade password managers should be recommended and provided if possible, and users should be educated on the risks of insecure password storage methods.

Consequences should be set for policy violators to encourage compliance without resorting to harsh punishments. A tiered response to violations should include education and retraining for first-time violators, escalating for repeated non-compliance. A feedback mechanism should also be incorporated for employees to report difficulties in adhering to the policy.

Regular updates to the password policy are essential to stay ahead of emerging threats and advancements in password security practices. Scheduled reviews should be conducted to ensure that users are creating long, complex passwords, changing them frequently, and avoiding reuse across multiple accounts. Involving users in the review process helps maintain an effective and user-friendly policy.

Best practices for password policy implementation include making the policy easy to access and understand, adopting a password management system, forbidding insecure password sharing, implementing login time restrictions, and conducting regular password audits to assess adherence levels and identify areas for improvement. The proactive approach ensures that the organization’s cybersecurity measures evolve in tandem with emerging threats.

Password Policy Do’s and Don’ts

| Do’s | Don’ts |
|————————————————|——————————————————|
| Create passwords with at least ten characters | Use personal information like name, DOB, job title |
| Include uppercase, lowercase letters, & special characters | Use easily guessed patterns like QWERTY or 123456 |
| Use misspelled words for complexity | Reuse the same password on multiple accounts |
| Set a password expiration period | Store passwords in emails, note apps, or sticky notes |
| Enforce Multi-factor Authentication (MFA) | Share passwords via text, email, or instant messages |
| Use a password manager for secure storage | Keep systems logged in when not in use |
| Update your password policy regularly | Ignore password policy guidelines |

What Are the NIST Password Guidelines?

The National Institute of Standards and Technology (NIST) guidelines have evolved over the years to reflect a more user-centric approach. Among their recommendations, users should create passwords that are a minimum of eight characters in length. Instead of forcing users to incorporate complicated symbols and characters, NIST emphasizes password length over arbitrary complexity. They advise against mandatory periodic password changes unless there’s evidence of a breach. NIST also suggests allowing the ‘show password’ option to help users avoid mistakes when entering their password. Moreover, they highly recommend implementing two-factor or multi-factor authentication to add an extra layer of security.

Are Complex Passwords As Important as Minimum Password Length?

While complexity in passwords (such as including symbols, numbers, and both uppercase and lowercase letters) certainly helps against brute-force attacks, recent trends in cybersecurity suggest that length is a more critical factor. A longer password naturally increases the total number of potential combinations, making it exponentially harder to crack. However, an undue emphasis on complexity often results in users resorting to predictable patterns or writing passwords down. If feasible, users should be encouraged to use longer passphrases that are easy to remember but hard for automated systems to guess. When using a password manager, which takes the burden of memory off the user, combining both length and complexity is ideal.

How Often Should Passwords Be Changed?

Conventional wisdom once dictated that regular password changes (e.g., every 60 or 90 days) were essential. However, NIST’s revised guidelines suggest avoiding routine password changes unless there’s a specific reason, like a suspected security breach. Changing passwords too frequently can result in weaker passwords, as users may choose slight, predictable variations of their old passwords or even reuse them across different platforms. Nonetheless, it’s crucial to be proactive. Using password managers with breach notification capabilities can alert users if their passwords are compromised, prompting timely changes.

Should Small Businesses Use a Password Manager?

Absolutely. Cybersecurity should never be an afterthought, even for small businesses. Password managers provide many advantages, including the ability to generate strong, unique passwords for every account and securely store them in encrypted vaults. Furthermore, they facilitate secure password sharing, which is especially useful in collaborative environments. By centralizing password management, businesses can maintain tighter control over access to sensitive information, thereby mitigating risks.

What Is the Ideal Password Policy?

The ultimate password policy should strike a balance between user convenience and robust security. It would emphasize the creation of long, unique passwords or passphrases, ideally without forcing arbitrary complexity rules. Secure storage practices, such as using encrypted databases or reliable password managers, are essential. Promoting the use of unique passwords for each account helps ensure that a breach on one platform does not compromise others. Regular monitoring for breaches and compromised passwords, paired with an understanding of when (and when not) to change passwords, can round out a comprehensive, effective policy. Can you please rewrite this sentence?