While the last two blogs were on password composition and practices for users, this one will focus on password policies for administrators and businesses. Keep in mind that all users should use the practices recommended in the first two parts of this series.
Business owners, managers, administrators and other policy makers:
1. Should require users create passwords with a minimum length of at least twelve characters and to contain at least one each of a number, an uppercase letter, a lowercase letter and a symbol.
2. Should not permit use of consecutive identical, all-numeric or all-alphabetic characters.
3. Should not limit the maximum length of passwords.
4. Should always require multi-factor authentication (MFA), if available.
5. Should maintain regular password expiration and replacement by users at least once every 90 days and not allow use of the same or older password again.
6. Should allow display of entire password during creation and temporary display of each character during login (to not display entire passwords on the screen when being entered).
7. Should allow users to see their prospective password’s strength while entering. Tell them what is a strong password.
8. Should securely store and transmit passwords. This can be achieved through encryption or hashing.
9. Should manage password provisioning (new employees, new accounts) and deprovisioning.
10. Should audit accounts and passwords every 90 days, removing or disabling inactive user accounts, and suspending accounts that have not been used for 45 days.
11. Should lock users out after more than three (at least recommended) unsuccessful logins, requiring the user to contact IT to unlock the account. Alert security or other personnel after ten (recommended) bad login attempts.
12. Should determine your policy regarding generation of a new temporary password for users and how the user will receive it. Lock out users unsuccessfully attempting temporary account login after three consecutive attempts (at least recommended).
13. Should continuously monitor password creation, use and storage, including checking prospective passwords against company lists of bad/unacceptable, weak, previous five, or reserved word passwords.
14. Should always change vendor-supplied default passwords for secure network equipment and computer resources.
15. Should require users to sign in again if they have been idle for more than 15 minutes; maintain a screensaver policy for the duration as a safe practice.
16. Should store password files separately from application system data.
17. Should not save passwords for network share drives. Software like that available on Nirsoft can pull all unknown passwords for users to access these drives.
18. Should not exceed necessary permissions and maintain principle of least privilege. For example, administrators should not have access to bank and financial account or passwords. Departments with access to such accounts should be security trained as well. Company departments should work together on this as it is another layer of defense.
19. Set expiry on domain passwords to 90 days minimum.
Recently, secure email gateways are in the news. These can help to reduce potentially-dangerous traffic. The servers filter incoming and outgoing traffic, detect and block the transmission of confidential and sensitive data, and identify and reject emails with malicious links and attachments.
If a breach occurs
In addition to other recommendations for breach response, administrators should change the passwords of affected systems and all users immediately.
The final blog in this series concludes with user education and password managers.
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.