Strengthening Your Organization’s Password Policy

RH-ISAC shares some password policy best practices including length, complexity, and augmenting your passwords with multi-factor authentication.
Password Policy

According to the Cyber Readiness Institute, 63% of data breaches result from weak or stolen passwords. Putting a strong password policy in place is one of those first lines of defense that sounds so easy, but can realistically be hard to implement, as it depends on the cooperation of all the employees in your organization.

Your average employee in the marketing department isn’t thinking about a data breach when they’re reusing the same password across all your social media sites; they just want something they can remember. And chances are, they’re also using that password on some of their personal logins as well… I should know… before working at RH-ISAC that was me! So, what can you do to make sure that marketers, accountants, HR personnel, and even your executive management team don’t inadvertently cause a breach?

Multi-Factor Authentication

First, set up multi-factor authentication on as many applications as possible. While you may get some pushback at first — “Gosh, this is so annoying!”— after a while it becomes second nature and just part of the routine of logging in. Multi-factor authentication is becoming increasingly commonplace in our personal lives as banks and other services we interact with require it. Emphasizing the effectiveness of this simple method and working it into your company culture will go a long way in stopping a credential- based attack.

Password Length and Complexity

Now, what about the password itself? The biggest stumbling block for people here is that they want a password they can remember. There are a couple of ways to accommodate this while keeping your organization’s passwords more secure.

To start, all companies should have a password policy written in the employee handbook. This will help employees understand the importance of secure password setup and provide a source of guidance if they’re unsure of best practices.

In the password policy, you should outline password length and complexity requirements. Passwords that are 12-15 characters are significantly more challenging for hackers to crack, but they also need to be complex. PasswordPassword is more than 15 characters, yes, but that obviously isn’t enough here. Lately, passphrases have become a common solution that provides length and complexity, while still being relatively easy for employees to remember. Passphrases are a series of words used as a password. They can be a short sentence or just three random words put together. The point is they are longer than a standard password, making them safer and harder to crack, but they’re still actual words, not a string of random characters, so the employee setting the password can remember it.

Using a Password Manager

Alternatively, password managers such as LastPass or Dashlane will generate strong passwords for you and store them so you can safely log in without the need to remember passwords for every site. You will, of course, still need to remember your password manager password… so don’t completely forget everything I just told you about passphrases! This would be a great place to use one.

Password Disallow Lists

Another thing your password policy can include is a password disallow list. There are a number of tools out there that can help you create a password disallow list that protects against dictionary attacks or using a known leaked or bad password. You should also consider adding custom banned passwords such as companyname123 or other passwords that may be specific to your business that would be easy to crack.

Eliminate Passwords

Finally, the other alternative is to eliminate passwords. Known as passwordless authentication, this method relies on other types of authentication like biometics, special mobile applications, and security keys to bypass the use of passwords altogether.

Learn More

Interested in learning more about password policy best practices? RH-ISAC members have exclusive access to discussions on this topic and example policies on the Member Exchange. Not a member? Learn more about the benefits of membership here or email [email protected].

 

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.