Password Policies and Guidelines

Using a password policy is an important part in enhancing your organization’s password security. Cyberattacks continue to explode around the world with a variety of techniques to compromise corporate passwords. To defend against these attacks, organizations employ password policies to enforce secure passwords and use them to protect enterprise data.

What is a password policy?

A password policy is a set of requirements for passwords in an organization. This can include requirements related to the length and complexity of the password, the expiration period, password reuse and disallowing known breached passwords.

What’s the best password policy?

After researching the various password policies that apply to your organization, you need to decide which requirements need to be enforced to fulfill compliance, provide the best security and ensure end-user adoption. There’s been an ongoing debate around the downsides of password expiration and complexity requirements, since end users often reuse their passwords when faced with these requirements. Another helpful resource is the IT professional forum Spiceworks, where IT pros provide advice related to password policies.

A password policy is not a set-and-forget network setting. Make a schedule to review the policy at regular intervals after checking the most up-to-date recommendations from industry experts and compliance standards.

Here’s a list of the top password policies best practices and guidelines.

Password Policy Types

• Office 365 password policy – Office 365 cloud-only users are subject to the password policy built into Azure AD. Microsoft provides guidance and requirements.
• Active Directory password policy – An Active Directory password policy is a set of rules that define what passwords are allowed in an organization, and how long they are valid. The policy is enforced for all users as part of the Default Domain Policy Group Policy object, or by applying a fine-grained password policy (FGPP) to security groups.
  • How to check your AD password policy
  • How to enforce password history in Active Directory
• NIST password policy – The most recent password standards and requirements from the National Institute of Standards and Technology (NIST).
• Fine grained password policy – In Windows 2008 Microsoft introduced the Fine-Grained Password Policies (FGPP) feature, enabling administrators to configure different password policies based on Active Directory security groups.

Password Policy Settings

• Password expiration policy  – Best practices in setting the minimum and maximum password age policy.
• How to enforce password policy – Ensure that the policy is being enforced using these Group Policy settings.
• Password length best practices – Minimum password length for creating strong passwords.

Industry

• HIPPA password policy – The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect against unauthorized access. Read about the role of passwords in HIPAA compliance.
• HITRUST CSF password policy​ – Formed in 2007 to fill the gap of the requirements of HIPAA, the Health Information Trust offers a framework that provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA.
• Criminal Justice Information Services Division (CJIS) – The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST).
• Cybersecurity Maturity Model Certification (CMMC) – the CMMC is largely a roll-up of several different requirements from different industry bodies into one cohesive set of guidelines, for use by DoD contractors.
• The General Data Protection Regulation (GDPR)/ICO – GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR does not say anything specific about passwords; ICO, the UK’s public body responsible for GDPR enforcement, does provide some non-binding guidance on passwords.
• PCI compliance UK – Payment Card Industry Data Security Standard (PCI DSS) security recommendations required for any business that accepts, stores, transmits, or processes cardholder data.
• National Agency for the Security of Information Systems (ANSSI) – France’s national authority charged with supporting and securing the development of digital technology.
• National Cyber Security Centre (NCSC) – An organization of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats.

Other resources

• Password Policy Best Practices – Points to consider when creating or updating your password policy
• Password Policy Compliance Report – Anyone who wants to evaluate how well their existing password policies measure up against different compliance standards may benefit from running a free scan with Specops Password Auditor.

Get serious about password security with Specops Password Policy

Specops Password Policy is a feature-rich solution with robust controls over Active Directory password settings. The Specops Breached Password Protection feature includes a real-time breached password check that prevents users from selecting vulnerable passwords.