Organizations must develop strong password policies to prevent and combat destructive cyber attacks.
As the number and breadth of cyber attacks and breaches increase each day, organizations must prioritize cybersecurity to prevent major damage to their infrastructure. These attacks often begin by a cyber criminal stealing passwords from unsuspecting or untrained employees. An attacker only needs a single opening to access everything of value in your system; with control of a single key, they can exploit that entry point to access a company's entire network. If the access key is stolen from a system administrator account, the attack is only expedited and escalated.
A solid password policy is the first line of defense for your corporate network. Protecting your systems from unauthorized users may sound easy on the surface, but it can actually be quite complicated. You have to balance password security with usability, while also following various regulatory requirements.
Tips for creating a strong password policy
The following are 11 key practices to consider when creating a strong password security framework that will keep your systems safe:
- Use Complex Passwords: This may seem basic, but simple passwords are easily compromised. Enforcing complexity requirements is the standard first step in stopping brute force hacking attempts. You can require that all users create passwords that do not reference the user's legal name or username. Robust passwords also utilize combinations of characters, numbers, as well as upper- and lower-case letters.
- Set Minimum Password Length: Conventional wisdom says that a complex password is more secure. But in reality, password length is a much more important factor because a longer password is harder to decrypt if stolen. A common practice is setting a minimum of eight characters, but a minimum character length of 14 characters is a better standard.
- Use a Password List to Block Compromised Passwords: Today, stolen credentials are the leading cause of data breaches. Thanks to password reuse, many credential-based attacks use breached password lists from one system to target another. To protect your data against these attacks, a password policy should ban common and breached passwords.
- Utilize Passphrases: Domain administrators' accounts require greater protection. In such cases, enforce the use of passphrases (with a 15-character minimum length), which are easier to remember and type, but harder to gain access to.
- Don't use secret questions: It is a common practice to set up 'secret questions' that can be answered in order to unlock or reset the password on an account. Secret questions would be things like 'what is your mother's maiden name,' or 'what was your school mascot.' Since these types of questions can be vulnerable to social engineering attacks, it is best to avoid them.
- Use Multi-Factor Authentication: One of the best ways you can improve your password security is to implement multi-factor authentication. This is where, in addition to a username and password, other factors are used to verify a user. For example, this can be a one-time password that is generated specifically for the user on their mobile device during authentication.
- Mandatory Password Resets in the Case of Potential Threat: For greater protection, it is common to have minimum reset periods, however, these can lead to users recycling passwords. Users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns. This can actually lead to greater risk of breach, so restrict password resets to longer periods or only in the case of a potential threat.
- Restrict Password Reuse: Choosing to enforce the password history requirement will limit how often an old password can be used. Setting minimums, such as the previous 5 passwords not being allowed can help avoid the overuse of “favorite” or "easy" ones.
- Set Minimum and Maximum Password Age Limits: Sometimes employees will temporarily change a password and then switch back to a familiar one. Requiring each password to be held for a number of days eliminates this issue. However, your IT support should be available to change compromised passwords when the minimum age limit isn't met. Setting a maximum password age limit also helps with network security.
- Establish Password Audits: You will need to track your team's compliance with the password security policy. An audit will monitor password modifications to ensure compliance and to highlight and correct weak access points.
- Send Reminders: Your team is likely to forget to comply with the company's password policy on their own. Set up automatic email notifications to remind them to change their passwords before they expire.
Following these tips will help you improve and strengthen your existing password policy. Prioritizing a strong password policy will help fend off one of the most common types of cyberattacks. Don't fall victim to cyber criminals by making yourself an easy target.
Read more on Security Vulnerability Prevention and the Consequences of a Data Breach:
Cylera is the next-generation in IoT and medical device security, with enhanced intelligence. We deliver richer data, stronger security and faster reaction times in order to safeguard what matters most: people, data and privacy. Unlike others who use “first-generation” approaches that fall short, Cylera's Platform is next-generation, patented technology, with unique IoT Device Emulation/digital twin that has zero disruption and can assess true risk within IoT and medical devices with clinical workflow context. Aligned with the NIST Cybersecurity Framework, ISO 27001, HIPAA, NIS and others, Cylera addresses IoT risks to patient care and safety.