I have never seen an employee handbook that doesn’t have a password policy. In my experience, these policies are written by a legal team and then signed off on by the IT team. Insurers, auditors, and investors all ask for your password policy when doing their due diligence. Many companies don’t have acceptable use or IT-specific handbooks for their employees so this piece gets put into the employee handbook.
It seems like for decades password policies haven’t changed. Even when you Google password policy, you get requirements like “enforce password history”, “minimum password age”, and “maximum password age”. Most of the elements are no longer considered best practices and in some cases make your password policy less secure. For example, a typical guideline that you may be familiar with is “password complexity”. The National Institute of Standards and Technology (NIST) is the bases for most computer security guidelines in the US. In their official recommendations, NIST no longer feels password complexity is relevant to the types of cyber-attacks being used to steal passwords. Instead, (Based on sp8000–63b A.2) “Password length has been found to be the primary factor in characterizing password strength”.
So how do you create a reasonable and easy-to-follow password policy for your business? Well, I have taken the liberty of writing one for you:
Sample Password Policy:
Overview:
This policy for acceptable password management should be used for all users in the company and applied to the best of your ability to all systems that require passwords. In addition to the password policy, the Company mandates that you use Microsoft Authenticator for Multi-Factor (MFA) Authentication. All internal or external systems that require a password should also be configured with MFA. If an external resource you access for company business does not allow for MFA please contact the head of IT for guidance on using that site going forward.
Password Policy:
Do not rely on passwords alone. Use MFA wherever possible
Passwords should be a minimum of 15 characters — Either use a passphrase or a password generator to create your passwords. (Example passphrase: “purple cabbage rabbit”)
Each account should have a unique password. Never share a password with multiple accounts.
Use a password manager such as Keeper Security to manage your passwords
Passwords only need to be changed when required by your IT department
All passwords will be matched against known breach lists and commonly used password databases
Thats it! A simple, easy to follow easy to implement password policy that is more secure than your traditional password policies from years past. Thank you for reading.
My company, GLM West, inc., offers consulting services that can help you with this and other IT outsourcing services, check out our website for more info! https://www.glmwest.com
Comments