A good password policy is easy
A good password policy for your organisation is needed. It protects the confidentiality of information and the integrity of systems.
However, password policies make it hard for users. Users need to change passwords all the time and need to remember passwords with numbers and special characters. Users find ways to remember passwords, recycle the same password over and over again (just changing a number). Not very secure at all. So, by making it hard for users, password policies often end up making things less safe!
Most password policies have a far too short minimum length, making passwords susceptible to brute force attacks. In our opinion, strong passwords meet at least these criteria:
- 28 characters at minimum
- Different for every service, this way a compromised password is contained to one service.
- All different characters.
This, however is humanly impossible. Well, almost, because you can make it easy!
Make it easy: offer a password manager
By offering a password manager, you make it easy for your people to be safe. A password manager generates and remembers strong passwords for users. Using a browser plugin, a password manager even takes care of filling in credentials, making getting access almost seamless! This way, users are happy to implement your strong password policy.
Check out this article of NIST about memorised passwords. A password manager that creates strong passwords solves problems mentioned in this article.
How often do you need to change shared passwords?
Shared passwords are often used in externally hosted sites, such as your company’s social media account or your cloud accounting software. Since a team working with these sites often need access, these login credentials are regularly shared with the team members. Many organisations call these team passwords.
Most often, password policies enforce the same change frequency for team passwords as for normal passwords. However, there are crucial situations that a team password requires changing. When a team member leaves the team, a team member is fired or a breach of the service has occurred.
A good team password manager makes it easy for you to see which passwords are known by a departing team member. So you know exactly which passwords need to be changed in order to stay secure.