What are password policies?
Password policies are a set of rules and guidelines that govern how passwords are created, used, and stored in an organisation. The purpose of password policies is to ensure that users are creating and using strong passwords that are difficult to guess, and that meet the security requirements of the organisation.
Typically, a password policy includes stipulations such as password length, complexity, history, expiry. It can also reference separate but linked requirements such as MFA or password management.
Why a password policy is important
There are several reasons to create and enforce a password policy:
- Prevents unauthorised access: A password policy helps prevent unauthorised access to sensitive data and systems by protecting against brute-force attacks, password guessing, and other common password attacks.
- Protects against data breaches: Linked to the first point, password policies help protect against data breaches by reducing the risk of an attacker gaining, using, extracting or changing sensitive data and systems.
- Compliance requirements: Many industries have compliance requirements for password policies, such as HIPAA, PCI DSS, and NIST guidelines. Compliance with these regulations can help organisations avoid fines, legal penalties, and reputational damage.
- User education: Password policies provide an opportunity to educate users about the importance of strong passwords, password hygiene, and common password attacks such as phishing.
Password policy best practices
What should a password policy include? The best password policy is one that balances security with usability, tailored to the specific needs of an organisation. However, there are some general best practices that can help create a strong password policy:
- Length.
- Complexity.
- Expiry.
- History - i.e. not re-using old passwords.
- Use two-factor authentication.
- Prohibit sharing.
- Storage and management i.e. using a password management platform.
How to implement a password policy
How to create a password policy
The general process for creating a password policy:
- Define the requirements: Determine what the password requirements should be for your organisation. Consider password length, complexity requirements, password expiration, and other relevant factors. Keep in mind any industry standards or compliance requirements that your organisation needs to meet.
- Choose the right tool: Identify the tool or software that you will use to enforce the password policy. Common tools include Active Directory, LDAP, or other directory services.
- Create the policy: Use toolkit in step 2 to configure the settings based on the requirements defined in step 1.
- Test the policy: make sure it is working as intended.
- Deploy the policy: Communicate the details of the updated policy and timings and possibly provide training. Apply the policy.
How to enforce password policy
Enforcement entirely depends on the facilities available - either already or potentially - within your organisation. In some cases, enforcement may rely on the facilities available within the platform, so some components of a global password policy may not be enforceable if the platform does not offer the option.
The very lowest level of enforcement is one where there is no enforcement at all. Here there can be only reliance on the policy, which describes the requirements and the penalties for non-compliance.
Platforms provided by third-parties can only have enforcement for password policies if the option is offered. This must be explored and deployed on a case-by-case basis.
There are several options for managing passwords for devices such as computers or mobiles, often forming part of the endpoint management platform. In these cases, a business can select a platform based on their specific requirements, enrol the devices on the platform, and use the password policy facilities available to meet their policies.
Types of password policies
Corporate password policies
Corporate password policies are a global, organisation-wide set of policies that are intended to apply to all situations where a password is required. Different policies may apply for different use-cases - such as staff roles or information sensitivity.
Endpoint manager policies
Endpoint manager policies are specific policies tailored to the endpoints - computers and mobiles - that are designed to work with the capabilities of the endpoint manager platform.
Domain controller policies
Domain controllers are a specific type of endpoint management platform, where devices are enrolled into Active Directory.
Best practices for password policies
Password length
The policy should specify the minimum length for passwords, which should be at least 8-12 characters in length.
Complexity
Passwords should be complex and difficult to guess. Typically this means:
- A mix of upper and lowercase letters, numbers, and special characters.
- Not including patterns that are easy to guess, such as '123456', 'ABCDEFG', your name, and so forth.
Expiration requirements
Many password policies stipulate a change at regular intervals, every 90 days is fairly common. That said, with the development of MFA on most platforms, there is a widespread trend to reduce or remove stipulations on password expiry.
Enforcing password policies
Password policy enforcement software
- Active Directory: This is a directory service from Microsoft that is commonly used to manage user accounts and enforce password policies in a Windows environment.
- LDAP: Lightweight Directory Access Protocol (LDAP) is a protocol used for accessing and managing directory services. Many organisations use LDAP to enforce password policies across multiple platforms and applications.
- Single sign-on (SSO) solutions: SSO solutions provide a centralised authentication mechanism that allows users to log in to multiple applications using a single set of credentials. Many SSO solutions include password policy enforcement as a feature.
- Identity and Access Management (IAM) solutions: IAM solutions provide a centralised platform for managing user identities and access to resources. Many IAM solutions include password policy enforcement as a feature.
- Cloud-based services: Many cloud-based services, such as Microsoft Azure, Google Cloud Platform, and Amazon Web Services, offer built-in password policy enforcement features.
Exception handling
Handing an exception to a password policy depends entirely on the contract agreed between the individual and the organisation. In many cases, password policies form part of the Information Security Policy that is agreed at the engagement of the individual. The Policy will detail how any exceptions are handled based on the specific circumstances - violations may be considered as part of the normal disciplinary process.
Password policy violation consequences
Broadly, these fall into three camps:
- Disciplinary: where the individual is found to be in breach of the policy and the incident is handled as part of the business' disciplinary procedures. There may also be further activities needed, such as forced resets for all accounts for the individual or other staff.
- Security breach: Violating the password policy can result in a security breach, which can have serious consequences for the organisation. If sensitive information is accessed or stolen due to a weak password, the organisation may face legal and financial consequences.
- Loss of trust: Repeated violations of the password policy can damage the user's reputation and the organisation's trust in them. This can lead to reduced responsibilities, loss of opportunities, and a damaged career.
Password policy document and the benefits
Most commonly, the password policy forms part of the general governance documentation for use of an organisation's information systems and security. It is common to have this form part of the employment contract and agreed with the individual. All concerned know from the outset that security is a prime concern and the penalties for not complying with the requirements.
Common password policy questions
Does fine grained password policy override domain policy?
Fine-grained policies are a specific feature of Active Directory 2008 or later.
Yes, fine-grained password policies override the domain password policy. Domain password policies apply to all users in the domain by default. However, fine-grained password policies make it possible to define different password policies for different groups of users within the same domain.
Which password attack bypasses account-lockout policies?
Anything that doesn't rely on brute-force. In a brute force attack, an attacker tries every possible combination of characters to guess the user's password. This can be done manually, but it's often automated using software tools that can generate and try millions of passwords in a short period of time.
Do password policies make passwords easy to crack?
No. While you could construct a password policy to make the passwords easy to crack (for example, stipulate that all passwords will be '1234'), this is never done in practice. The intent of a password policy is almost always to ensure a minimum-level of security, with the intent of making an attacker's job difficult.
Does changing password policy force password change?
Depends on the change to the policy and the way the enforcement platform works, but it would be common for a change to the policy to force a change to the passwords to ensure they comply.
Should you enforce password policies on websites?
This depends on the information being held on the website and potential outcomes should the password be cracked. In general terms, yes, a password policy should exist for all web-based platforms.
What password policy should a business use?
The right policy is always a balance between the need for security, the potential consequences of a breach, the capabilities of the platforms and the inconvenience to individuals in complying. There is no absolute right answer, the above guidelines give some commonly-used ideas that suit many cases but the right choice is always a decision based on the specific circumstances.
Contact us today to start your businesses password policy journey.