Password policies: A quick guide to getting started
- select the contributor at the end of the page -
A poorly chosen password can cause a ton of problems. As I mentioned in my last post, a weak password could result in unauthorized access and/or exploitation of resources. All users, including contractors and vendors with access to systems, are accountable for taking the proper steps to select and secure their passwords. Because of this, we need to establish a standard and/or guidelines for creating strong passwords, and protecting those passwords, along with their frequency of change. Most of us IT geeks call this a Password Policy.
So, exactly what types of items should be covered in a password policy?
- Don’t write your passwords down. Not on a sticky note under your phone, under your deskpad or in a Word doc on your computer.
- No one, I repeat no one should ever ask you to email your password to them.
- Don’t use the “Remember Password” feature on your browser (IE, Chrome, Firefox, etc.).
- If you think that your password might have been compromised, contact your IT staff immediately to get it switched. And for the rest of you IT people, stop being rude when employees call you to reset their passwords, remember everyone makes mistakes!
- Don’t use part of your logon name in your password.
- Stay away from using numbers that mean something to you (phone numbers, social security numbers, street addresses etc.).
- Corporate passwords should never be used for personal use (Facebook, Pinterest, LinkedIn, etc.).
- When typing your password, be aware of your surroundings. Make sure no one is watching. When I’m visiting a client and they go to type in their password, I physically turn my body/chair away from them. I personally don’t want that liability. Protect yourself by never having access to someone else’s password.
- User accounts that have system-level privileges granted through group memberships or programs must have their own unique password.
- Applications must not transmit passwords in clear text over the network (I’m pointing my finger at you developers that take shortcuts!).
- Use Passphrases! Passphrases are not the same as passwords. A passphrase is a longer version of a password and is more secure; it’s typically composed of multiple words. Because of this, a passphrase is more secure against dictionary attacks. A great passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: [email protected]@mcdonalds!
Some things to note:
Don’t use famous or well-known lyrics/lines from songs and/or movies. Try to change up the spelling of the password to something that you’ll remember i.e.: MyFavoriteBandIsYoutwo….or [email protected]$ident.
OK, great. But, how do I implement a password policy?
In the words of that famous shoe company, just do it. Your IT department should utilize technologies that are available like the old standard, GPO. Microsoft released a technology back in Server 2008 that allows IT folks to create custom password policies for different “groups” called Fine-Grained Passwords (check out Greg Shield’s Windows Server 2012 R2 (70-411) Configure Active Directory course for more info). When I teach a Server 2012 course, I’m outright shocked at how many IT people don’t know about this powerful feature.
This technology allows us to create different password requirements for different groups. For example, passwords for IT folks have to be 20 characters long and have to be changed every 20 days while the Sales department has to use 15 characters and change every 45 days. And, of course, upper management needs to only use two characters and rotate every 5 years (just kidding about that last one).
That’s nice and all, but how do I make sure people are following these policies?
Easy; accountability. Make sure that your employees are aware of the policies you’ve put in place for everyone, and make it clear that there are consequences for deliberately choosing to not follow these policies (up to and including termination from the company).
So now that you’ve got an outline and a strong reminder of the risk associated with not having a password policy, it’s time to get to get to work. Fire up Outlook, schedule a meeting and start training your team.