Best practice tips for your password policy

I think we can all agree that policies are one of the more boring aspects of a security program. They often bring about a false sense of security and tend to facilitate complacency. After all, the assumption is as long as the policy is documented, then it must be true. This is an especially common mindset among executive management. They see IT and security teams spending the time, money, and effort. But that doesn’t always translate into positive security and network resilience. Policies mean very little in the greater scheme of an information security program until they are properly managed and enforced. This reality applies to passwords as much as anything else. So, you must consider whether your current approach to passwords is adequate, and contributing in positive ways to the business. 

Many people have yet to craft a well-thought-out password policy. I often see in my work the situation where the password policy says one thing but there’s something completely different taking place on the network. That’s the exact space that your business can’t afford to venture into. Consider the following when creating or updating your password policy: 

• What, specifically, is it that we’re trying to accomplish with this policy? This would be the organization’s overall mission, goals, and philosophies for information risk management and transacting business in your industry. 
• What risks have we identified in the context of passwords and what minimum password requirements do we need to meet?  Don’t blindly follow password guidance, such as the NIST Digital Identity Guidelines, Microsoft’s pre-defined GPO-based, or fine-grained password policies. Instead, find out what’s really needed based on your unique requirements. You’ll likely find that you need to fine-tune your policies to help with secure password creation, passphrase support for more granular complexity, and enhanced management capabilities for password expiration and ongoing reporting. 
• What are we doing to ensure that our password policy and standards are being enforced across our network? Paperwork without enforcement is merely a suggestion. If you document it, people will hold you to it. As long as you’re doing what you say you’re doing, you should be okay. Otherwise your policies could end up working against you, creating more problems (liabilities) than they’re solving. 

Fleshing out the above points, you can’t just create arbitrary password standards without fully understanding the authentication-related security risks. Think about your own internal standards that are necessary for reasonable passwords. Also, consider what has been committed to in terms of customer and business partner contracts, laws and regulations, and so on. Make sure that whatever policy-related verbiage you might have in your employee handbook, or other business documentation, coincides with your formal password policy. 

Your password policy should be a standalone document rather than embedded into a more generic IT security or acceptable usage policy. It should clearly lay out, and in plain language, its purpose and scope as well as specific roles and responsibilities. The actual policy statement will outline the technical specifics on password requirements involving length, complexity, and the like. You’ll want to be clear on which systems, applications, and devices the policy applies to or does not apply to (including any system, department, or user exceptions). Finally, you will need to document specific procedures on how the policy is carried out and enforced.  

Security policies are all about setting expectations. A good measure of a solid password policy is that it clearly states: this is how we do things here. Some common oversights in terms of password policy management involve how compliance will be measured, sanctions for violations, and ongoing review/evaluation. Make sure that you’re addressing each of these areas and that your security committee and users are on-board with what is expected.  

Be careful with your password policy – and any security policy for that matter – as it outlines what’s expected and, presumably, what’s being done. Everyone’s watching. If people see that you’re saying one thing but not following it up with any substance and doing something else, they won’t take your password policy, or your overall security program, very seriously. The formula for password success is straightforward: 1) know what you’ve got, 2) understand how it’s at risk, and 3) take reasonable steps to do something about it. Nothing more and nothing less.