While the last two blogs were on password composition and practices for users, this one will focus on password policies for administrators and businesses. Keep in mind that all users should use the practices recommended in the first two parts of this series.
Business owners, managers, administrators and other policy makers should:
1. Require users create passwords with a minimum length of at least eleven characters and to contain at least one each of a number, an uppercase letter, a lowercase letter and a symbol.
2. Not permit use of consecutive identical, all-numeric or all-alphabetic characters.
3. Not limit the maximum length of passwords.
4. Always use multi-factor authentication (MFA), if available.
5. Maintain regular password expiration and replacement by users at least once every 90 days and not allow use of the same or older password again.
6. Allow display of entire password during creation and temporary display of each character during login (to not display entire passwords on the screen when being entered).
7. Allow users to see their prospective password’s strength while entering. Tell them what is a strong password.
8. Securely store and transmit passwords. This can be achieved through encryption or hashing.
9. Manage password provisioning (new employees, new accounts) and deprovisioning.
10. Audit accounts and passwords every 90 days, removing or disabling inactive user accounts, and suspending accounts that have not been used for 45 days.
11. Lock users out after more than three (at least recommended) unsuccessful logins, requiring the user to contact IT to unlock the account. Alert security or other personnel after ten (recommended) bad login attempts.
12. Determine policy regarding generation of a new temporary password for users and how the user will receive it. Lock out users unsuccessfully attempting temporary account login after three consecutive attempts (at least recommended).
13. Continuously monitor password creation, use and storage, including checking prospective passwords against company lists of bad/unacceptable, weak, previous five, or reserved word passwords.
14. Not allow users to cut and paste into password fields, unless using a password manager.
15. Always change vendor-supplied default passwords for secure network equipment and computer resources.
16. Require users to sign in again if they have been idle for more than 15 minutes; maintain a screensaver policy for the duration as a safe practice.
17. Store password files separately from application system data.
18. Not save passwords for network share drives. Software like that available on Nirsoft can pull all unknown passwords for users to access these drives.
19. Not exceed necessary permissions and maintain principle of least privilege. For example, administrators should not have access to bank and financial account or passwords. Departments with access to such accounts should be security trained as well. Company departments should work together on this as it is another layer of defense.
20. Set expiry on domain passwords to 90 days minimum.
Recently, secure email gateways are in the news. These can help to reduce potentially-dangerous traffic. The servers filter incoming and outgoing traffic, detect and block the transmission of confidential and sensitive data, and identify and reject emails with malicious links and attachments.
If a breach occurs:
In addition to other recommendations for breach response, administrators should change the passwords of affected systems and all users immediately.
The final blog in this series covers user education and password managers.
Tech Kahunas know the needs of SMBs and organizations and will help you with proper password practices and policies.
We’ll stay on top of the threats.
We’ll watch your data.
We’ll review your risks.
We’ve got years of this.