The aim of a password policy is to protect your organisation’s network by enforcing certain rules and procedures with regards to IT passwords.
Consider the following guidance when setting your password policy.
Make It Easy To Store Passwords
The typical user has dozens of passwords to remember, and inevitably users WILL write passwords down even if you ask them not to. So, ensure it is easy for users to safely store their passwords, so they don’t have to resort to sticky notes on the monitor or under the keyboard.
Storage could be physical (for example secure cabinets) or technical (such as password management software), or a combination of both.
Your password policy should also consider the needs of mobile users who will be using passwords in riskier locations than your normal offices. Make sure they know:
- How to store, access, change and reset passwords remotely.
- How to store passwords separately from the devices they protect.
- Who they need to immediately report to if they lose a written password (or the device itself) or if they suspect the password has been compromised (e.g. by shoulder-surfing in a public location).
Keep Password Rules Simple
If you have good technical defences in place, then your password policy shouldn’t force users to waste effort creating and managing lots of complex passwords. Provided you ensure that users know the importance of not re-using their home passwords for work accounts, or using passwords that are easy to guess, then your guidance can move away from ‘DO and DON’T’ rules towards an approach that is easier for users to understand and follow.
Turn Off Regular Password Expiry
Consider turning off regular password expiry. The cost of forcing users to regularly change their password is currently considered to outweigh any protection it might give. Users invariably use weaker passwords, making only minor changes to old passwords and burdening your helpdesk with password resets. Instead, consider telling your users that you are removing the need to renew passwords, so they can concentrate on the measures that do make a difference, such as:
- Making sure passwords aren’t easy to guess.
- Storing passwords in approved ways.
- Reporting unrecognised logins (or attempted logins), or unusual activity on their accounts.
- Changing passwords where compromise is evident or suspected.
Protect Your Systems
Your system’s security should always rely more on effective technical defences than it does on ‘correct’ user behaviour.
For instance, it is important to tell your users about the dangers of phishing, but you cannot stop all successful phishing attacks by relying on users to detect and avoid them. Also, excessive individual penalties associated with falling for a phish might mean your users are too afraid to open legitimate emails, which will have business costs.
Focus instead on enacting good technical defences, ensuring users know how to spot common types of phishing emails, and where to report any emails or websites they are unsure about.
Assess The Effectiveness Of Your Policy
If your organisation has an approved secure password storage policy but you’re still finding passwords on sticky notes stuck under keyboards, then your policies and/or processes aren’t working and you should try to find out why.
For example, if you do keep coming across insecurely stored passwords, it might indicate that your users:
- Find the process to securely store passwords is too demanding, impractical or takes too much time away from their normal duties.
- Have so many passwords that they are still using coping strategies.
- Are simply not aware of your guidance.
Investigate and take action accordingly. By and large, users will do their best to comply with reasonable, workable security requirements. If you find problems, it’s usually a sign that the IT policies or processes need fixing, not the people.