Password Policies: The Key to Business Security

Password policies are a set of rules created to increase cybersecurity by encouraging users to create reliable, secure passwords and then store and utilize them properly. A strong password policy is the front line of defense in protecting online transactions, personal communications and private information.

This is why system administrators play a major role in making sure that each user is well aware of the cybersecurity risks they face every day. To achieve this, they need strong password policies and best practices.

Here are some examples of password policy best practices that every system administrator should implement:

1. Enforce History Policy

The Enforce Password History Policy will set how often an old password can be reused. This policy will discourage users from reusing a previous password, which in turn, will prevent them from alternating between several common passwords.

2. Minimum & Maximum Age Policy

The Minimum Password Age Policy will prevent a user from dodging the password system by using a new password and then changing it back to their old one. To prevent this, the specific minimum age should be set from three to seven days, making sure that users are less prone to switch back to an old password. Users are still able to change it in a reasonable amount of time.

The Maximum Password Age Policy determines how long users can keep a password before they are required to change it. This policy forces the user to change their passwords regularly. To ensure your network’s security, you should set the value to 90 days for passwords and 180 days for passphrases.

3. Minimum Length Policy

This policy determines the minimum number of characters needed to create a password. You should set the minimum password length to at least eight characters since long passwords are harder to crack than short ones. For even greater security, you could set the minimum password length to 14 characters.

A word of advice: If you haven’t changed the default setting, you should change it immediately! Sometimes the default is set to zero characters (meaning that it allows empty passwords).

4. Passwords Must Meet Complexity Requirements Policy

By enabling the Passwords Must Meet Complexity Requirements Policy, you’ll ensure that every password is secured following these guidelines:

• Passwords can not contain the username or parts of the user’s full name (i.e.: their first name).

• Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers and symbols.

5. Strong Passphrase Policy

Strong passphrases with a minimum of 15 characters should always be used to protect domain administrator accounts. While passwords and passphrases serve the same purpose — passwords are usually short, hard to remember and easy to crack, while passphrases are easier to remember and type but much harder to crack due to length.

6. Password Audit Policy

Enabling the Password Audit Policy allows you to track all password changes. By monitoring the modifications that are made, it is easier to track potential security problems. This helps to ensure user accountability and provides evidence in the event of a security breach.

It is so important to educate your users on how to manage their passwords. Passwords are only one piece of the security puzzle. Security Awareness Training is a great way to keep your user accounts safe — never forget that a chain is only as strong as its weakest link.

Ready to Get Started with Managed IT Services?