Password Policy
Because more and more sensitive data is finding its way into storage on our networks, more security measures are required than ever before. As part of this, your organization needs to possess a well-crafted security policy, and this security policy should include a comprehensive password policy. As you’ll learn in this post, you should also provide detailed training on this part of the security policy.
Keep in mind that in addition to “simple” username and password combinations, many other powerful technologies found in the modern network are available for user authentication. These include:
- One-time passwords (OTPs)
- Client certificates
- Smart cards
- Biometrics
- Multifactor authentication
Despite these additional security options, the “classic” password still plays a pivotal role in most networks. It is obvious by glancing at recent news headlines that user credentials represent a major area of attack.
Your password policy should include the following:
- Education for end users
- Strong password requirements, such as the following:
- Minimum password lengths
- Restrictions on the use of proper names
- Password expiration
- No previously used passwords allowed
- No words spelled out completely within the password
- The use of characters from the following groups:
- Uppercase letters
- Lowercase letters
- Numbers
- Special characters
Your password policy might also detail the use of password management software. This software stores passwords for different resources and can even help users generate complex passwords across these resources. Of course, the software itself must
be protected with a strong password that the user should memorize.