I recently had opportunity to review salient features applicable to a password policy - This blog post will review some of the features :
1) Enforce the use of unique accounts: A unique user ID should be mandatory to gain access to a network resource. Shared or generic user accounts should not be used.
2) Enforce the use of complex passwords: Password should be alphanumeric, include upper and lower case letter and some special characters.
3) Enforce Minimum Password Lengths: A minimum of at least 8 characters should be used.
4) Enforce Password Changes: Password changes should occur every 90 days.
5) Disallow Reusing Passwords: One time use will ensure a lower chance of compromise. Password history policy will discourage password reuse.
6) Enable Account Lockouts: Automatic account lockouts will ensure that predefined unsuccessful logins will make hacker attempts useless.
7) Enforce Account Auditing: Account auditing for both, failed and successful logins is monitored through the SIEM solution.
With the increase in BYOD policies, you also need to think about browser based passwords and the patching life cycle of the browser. No matter the size of your business, the modern digital estate will need to work with different types of keys, and how you configure the above salient features, will let you enforce your password policy. Or at least better engage in the debate of Passphrase Vs Complex Character sets.
...queue the post it note !
...queue the clear desk policy that will find the post it note !
...queue the no desk policy .. wait what?
The IET arranges visits to the National Museum of Computing, located in Bletchley Park - Details of the latest event can be found here.
1) Enforce the use of unique accounts: A unique user ID should be mandatory to gain access to a network resource. Shared or generic user accounts should not be used.
2) Enforce the use of complex passwords: Password should be alphanumeric, include upper and lower case letter and some special characters.
3) Enforce Minimum Password Lengths: A minimum of at least 8 characters should be used.
4) Enforce Password Changes: Password changes should occur every 90 days.
5) Disallow Reusing Passwords: One time use will ensure a lower chance of compromise. Password history policy will discourage password reuse.
6) Enable Account Lockouts: Automatic account lockouts will ensure that predefined unsuccessful logins will make hacker attempts useless.
7) Enforce Account Auditing: Account auditing for both, failed and successful logins is monitored through the SIEM solution.
With the increase in BYOD policies, you also need to think about browser based passwords and the patching life cycle of the browser. No matter the size of your business, the modern digital estate will need to work with different types of keys, and how you configure the above salient features, will let you enforce your password policy. Or at least better engage in the debate of Passphrase Vs Complex Character sets.
...queue the post it note !
...queue the clear desk policy that will find the post it note !
...queue the no desk policy .. wait what?
The IET arranges visits to the National Museum of Computing, located in Bletchley Park - Details of the latest event can be found here.