Crafting the Perfect Password Policy: 11 Must-Have Elements

Strong passwords are the first line of defence in protecting your business data and customer information. But many companies have weak or non-existent password policies, putting them at a heightened risk for data hacking. According to the Verizon Data Breach Investigations Report, compromised passwords are responsible for 81% of hacking-related breaches.

A strong password policy is vital to helping organizations protect critical systems and data, ensure business continuity and minimize compliance risk.

What is a Password Policy?

A password policy is a set of rules and regulations dictating how employees should create and use passwords. Password policies outline requirements such as minimum length, composition and complexity, expiration dates, storage, etc. 

Whether you are a business owner or individual, strong password policies, help you to protect your digital assets and can prevent cybercriminals from accessing your accounts and systems.

11 Must-Have Elements of a Password Policy

1. Password Length

Password length is the most crucial factor in a strong password policy. Center for Internet Security (CIS) recommends that passwords should be at least 14 characters long with no limit on the enforced maximum number of characters. A long password provides the greatest protection against brute force attacks. These attacks happen when a hacker tries to gain access to your account by using technology to try every possible password combination until they find the right one. A 14-character password has 100¹⁴ possible password combinations, which would take a significant amount of time to crack with today’s technology, although indeed decreasing by the day.

2. Password Complexity

Password complexity is the next most important factor in a robust password policy. It refers to combining various types of symbols, numbers, uppercase and lowercase letters, and other special characters to form a single password. Alternatively, passphrases that combine 4-5 randomly chosen words are also a good password strategy. 

3. Password Banning

Organizations should ban common bad passwords to reduce susceptibility to brute force and password-spraying attacks. A few examples of commonly used passwords include; abdcefg, password, qwerty, iloveyou and 12345678. 

When processing requests to create or change a password, the new password should be checked against a list containing commonly used, expected, or compromised values. This check should happen immediately upon password creation.

For example:

• Passwords obtained from previous breaches
• Dictionary words 
• Repetitive or sequential characters (e.g. aaaaaa, 1234abcd)
• Context-specific terms, such as the name of the service, the username, and derivatives thereof
• Previously used passwords for this account with a change delay
• Personal identification information for the user 

4. Password Expiration

For years cybersecurity professionals held firm to the idea that passwords needed to be changed regularly. However, in recent years, organizations such as NIST and Microsoft have abandoned the longstanding best practice of scheduling password expiration. Instead, it is recommended that passwords should only be changed if they have been compromised or forgotten.  

5. Multi-Factor Authentication

Multi-factor authentication (MFA) is a critical security measure that requires more than one method of authentication from independent categories of credentials to verify a user’s identity. For example, in addition to a password, a user must provide another form of authentication to access an account, such as a fingerprint or a one-time code sent to a different device.

MFA adds an extra layer of security to help to prevent unauthorized access to accounts and systems. It also makes it more difficult for attackers to compromise accounts, as they would need to obtain multiple forms of authentication to gain access. In addition, MFA can help to reduce the risk of account takeover and other types of cyber attacks and provides peace of mind for users, knowing that their accounts are better protected.

6. Password History 

A password history policy determines the number of unique new passwords that must be associated with a user account before the user can reuse old passwords. Password reuse is a common problem for organizations as most users find it easier to reuse passwords for a long time rather than create a new one. Unfortunately, the longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password but reuse an old password, the effectiveness of a good password policy is significantly reduced.

7. Password Reuse

The average person reuses each password as many as 14 times. While creating and managing multiple passwords seems like a hassle, users should always use different passwords across multiple accounts.

The risks of password reuse are higher as users manage more accounts. For example, using the same password across multiple accounts, such as Salesforce, LinkedIn and Outlook, puts them all at risk of compromise if a cybercriminal can access even one password. In addition, when an attacker purchases stolen credentials, it’s easy for them to check and see if any of the passwords they’ve recently acquired match accounts that have appeared in recent data breaches and take it from there. 

8. Password Sharing

A SurveyMonkey survey found that 34% of respondents shared passwords or accounts with their coworkers. Password sharing makes your personal and professional data vulnerable to cybersecurity threats and should be avoided at all times.

9. Failed Login Attempts

Failed login attempts may result from employees forgetting their login credentials or hackers attempting to access a user’s account. Therefore, monitoring and managing failed login attempts is of the utmost importance, as they can lead to privacy and personal data breaches.

CIS recommends a temporary account lockout (15 minutes or more) after five consecutive failed attempts or time-doubling throttling (in minutes) between each retry (0, 1, 2, 4, 8, etc.). In both cases, a permanent account lockout occurs after ten consecutive failed attempts. In addition, key personnel must be notified immediately when the login limit reaches its threshold.

10. Suspend Accounts Not In Use

Administrators should immediately disable accounts for people no longer authorized (leaving the company, changing departments, etc.). Unfortunately, this does not always happen, so it makes sense to have a backup in case this doesn’t happen. Suspending an account after X days of non-use (CIS suggests 45 days) can act as that backup plan. The system automatically disables the account if a user has yet to log into that account within 45 days of the last valid login. The user can get it re-enabled but must contact IT to reinstate it and justify why the account is still needed.

11. Password Storage

Password storage refers to the method by which your passwords are stored on your computer or device. The two most common ways to store passwords are in a password manager app or a browser password manager. 

A password manager app is the preferred option for password storage. Password apps are convenient because you can access your passwords anywhere. They are also more secure than browser password managers because it requires you to log in with a master password and locks your passwords after a specified time. Without this automatic lock, all it takes is a user accidentally leaving their computer unattended for a short while. Then, anybody who logs on to that device can easily access their accounts without entering an extra password. 

In addition, for businesses, browser password managers can be a security headache for IT admins, as they need visibility into who has stored corporate passwords in which browser. If an employee quits or goes rogue, determining which passwords the employee had access to might become a challenge.

Wrapping Up

Password policies are vital to a robust security strategy because they are the first line of defense against cyber threats and can greatly help reduce the risk of data breaches, account takeovers, and costly cyberattacks.