Home / Blog / General / The latest best practice password policy recommendations

August 5, 2019

Passwords are supposed to keep us safe. In fact, they’re a high-security risk.

You’d be forgiven for assuming that your junior staff would be the users with the least security awareness. But it’s simply not true. Stats show people who work at high levels use passwords that are simply too weak or follow poor guidelines. You don’t have to look far for examples…

Take Hillary Clinton’s campaign manager, John Podesta. Depending on who you believe, Podesta’s password for his personal email account was ‘Password’. Other sources cite that he forgot his Apple iCloud password and asked his aid to email it to him.

Once the hacker went in, his passwords were exposed to the world. A series of embarrassing issues arising for the Clinton campaign ensued. The hackers started telling voters to ‘vote Trump.’ The campaign fell apart and serious ethical questions arose about Clinton and her campaign.

This shows how vulnerable and important setting good passwords has become. It isn’t simply about coming up with a tough one – but following the right protocols to retrieve a forgotten password.

Infographic: Best practice password policy

You might not be in politics. But your business can’t afford reputational damage, data losses and data breaches that expose your customer data and leave you open to fines …or worse.

Let’ s take a look at recommended best practices when setting a password.

Best practice password policy

According to the National Cyber Security Centre’s guidelines, the following should be considered into your policy:

Switch on password protection1. Switch on password protection

On all your devices, ensure you switch on password protection. This includes ensuring you implement screen lock security such as patterns, pins and or bio-security measures such as fingerprint and face recognition.

Your policy should ensure that associated passwords to devices follow best practice thinking. Passwords on devices are effectively a master password and as such should be tougher to guess.

Password generators are a piece of software and by their nature, not 100% impregnable. They’re an attractive target for hackers. On the other hand, user-generated passwords are often easy to guess if you pick your name, birth date or the name of a family member.

For more detailed guidance on which route to choose, review the National Crime Agency’s (NCA) guidance before you make any major changes to your policy.

> Encryption

Static IT equipment such as PCs and laptops often have their own encryption built in. Ensure, however, you implement best practice to switch on and configure the encryption. Use a Trusted Platform (TPM) and products such as Bit Locker for Windows with PIN security to add additional security to this type of equipment.

If you use macOS systems, use FileVault or similar apps.

Two factor authentication2. Two-factor authentication

Where possible implement Two Factor Authentication (also known as 2FA). This adds an extra security layer with minimal effort and cost. 2FA requires a code entered from an external device to gain access to the system.

Educate teams3. Educate teams on choosing a strong password

Teams should be well drilled on what makes a strong password.

This training should be periodically refreshed and backed up with clear guidance. The training you provide should interconnect with your wider security policy.

It is vital that the access given should be the lowest level the system user requires (a principle of least privileges). Also, users should never need to share their password with other users to do their job.

Avoid password overload4. Avoid password overload

> Both the NCSC and the NCA recommend not enforcing regular password changes.

Research shows that passwords only need changing for suspected or detected security breaches. The NCA believes that regular changing is detrimental to IT security overall.

Top tip:

On the balance of risk, the NCSC using a password manager tool, ensuring the master password is a strong one. Ideally a memorable phrase or three random words. Either of these is much easier to remember and far harder to hack than our usual formatting habits.

While you don’t want to force password updates too often, you should make it easy for your teams to reset their password if they have forgotten it.

Change password defaults5. Change default passwords

Ensure you replace all default device passwords before distributing them among your teams. This is a common error. To go the extra mile, ensure that you have a regular review programme in place to check for and eliminate default passwords from your organisation.

The importance of an on-going cyber security programme

Regular penetration testing, sophisticated social engineering and in-depth user awareness training are all crucial parts of improving your cyber security. Together, they’ll expose any weak links in your security defences, whether they be passwords, unpatched systems, misconfigured hardware or more.

Ensuring implementation of a strong password policy is one of many stages towards your cyber security improvements. You can create actionable steps to make a real difference to your cyber security defences.

Related articles:

Comtact's UK Security Operation Centre (SOC)

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.