Do You Have A Password Policy?
Continuing our EstesCloud IT Security blog series which began with why you should write a security policy and do you have a malware policy, we continue with our next edition about malware.
A client recently changed managed IT service companies to EstesCloud and we quickly discovered some issues that involved passwords. It is typically only after an organizational change that password and security problems are exposed, so what’s the solution? We suggest creating a password security policy.
Basically a password security policy is a document that outlines how users can use and create passwords. This can also include guidelines for creating logins/ usernames and more. It is important to an organization’s security, as most assets are protected only with a name and a password. Consider how many websites and doors open up with just a name and a password. Now, consider the ramifications if those passwords were compromised!
It is likely you have never considered implementing a specific password policy, so let’s take a moment and look at some of the problems with not having one and some of the components to consider when you do write a password policy. Microsoft implements a default password security policy with these settings:
Passwords must be changed every 42 days, but not more often than once a day.
Passwords must be 7 or more characters
24 previous passwords are remembered and can’t be reused
Passwords must be complex (UPPER, lower, numbers and symbols)
Passwords cannot contain the username
Problems in neglecting having an password security policy implemented
1. When an employee leaves.
When an employee leaves, regardless of death, quitting or termination, or even for temporary leaves of absence, the next person to handle the roles needs to have access to information. This can include computer passwords, website log-ins, e-mail access and more. Employees can set up their own logins and security passwords which causes the successor to not be able to access important information.
Example: Susie used an online payroll processing company and when she created her log-ins, used personal information in setting up the security questions. When she was terminated for not processing the payroll one week, all those answers went with her. She was not cooperative in providing that information to her former employer. This resulted in lost productivity when the owner had to prove ownership and reset the account, including transferring all the historical data.
2. When changing a vendor.
This is similar to when an employee leaves because the vendor is like an employee. They have information that they take with them when the contract ends, and getting it back, when they are no longer financially tied to you, is difficult.
Example: John was hired to replace the former IT company who failed to perform and test regular back up tests. When he attempted to resolve an issue with Microsoft, he didn’t have the information needed to login or verify the business. A password reset wasn’t working because it wasn’t know what e-mail address was used to create the account. This resulted in lost money by the company who had to pay John to troubleshoot something created by another vendor, who was already paid.
Components to consider in writing a password policy
1. Purpose and Scope of the policy
Explain why this policy is being created and where it is to be implemented. For example, is it only for client data, or all web uses?
2. How long a password can be in place before it needs to be changed
This is usually between 60 and 180 days for most companies. When there is less of a security risk, longer periods can be considered. Requiring changes more frequently than 30 days results in employee frustration, and usually users will write their passwords on a post-it note and leave it under the keyboard
3. How long a password needs to be
Strong passwords are 8-14 characters. The longer, the harder they are to be cracked. Think pass-phrase instead of pass-word and you’ll be safer.
4. Variety of password characters
Requiring letters, capitalization, numbers and symbols can create a more secure password. It can also exclude things like repetition, use of a name or username, etc.
5. How passwords are stored
Passwords may be stored in a secure document, in a shared cloud file, an encryption program or more, and needs to be specified. Additionally, note how passwords shouldn’t be stored, shared or communicated.
6. How the policy will be enforced and disciplinary actions if not adhered to
Clearly communicate how this policy will be enforced and by whom. Lay out the action steps if the policy is not followed. This may also be where a component is added regarding an account lockout. Remember the end result is in creating security, not in creating endless disciplinary actions.
7. Administrations rights
Define what the administration is able to access and when.
A good password policy can help a company keep information secure, as well as have an action plan in case of an organizational change that results in having a successor take over with tasks that require the use of a password. Partner with your IT company when creating your password policy as they are typically the administrators of the policy. They will be instrumental in setting up the behind-the-scene processes that will manage password security.
Click Here to see SANS for a sample password policy.
In some cases where single-factor authentication (name/password) is insufficient, we can help with multi-factor authentication (like PIN# and a text message). EstesCloud Server Care includes a password policy review, and depending on your company policy, we can propose a more secure password policy.
EstesCloud // Explore our Managed Services Solution:
CompleteCare: Maintaining your own IT infrastructure is expensive and frustrating. EstesCloud CompleteCare combines the benefits of our ServerCare and ClientCare programs into one comprehensive program that protects your entire IT infrastructure at a predictable fixed cost. Let the EstesCloud team become your Trusted IT Advisor, so you can get back to growing your business.
Let’s start the conversation!
ServerCare: A proactive approach to IT that includes regular scheduled maintenance and monitoring is essential to maintaining a healthy network and a productive staff.
EstesCloud ServerCare will give you peace of mind knowing that our team is continually watching and caring for your servers.
Discover the Benefits of ServerCare.
ClientCare: Proactive support for your desktops, laptops, and mobile devices. We provide all of the monitoring, patching, and security tools for your systems, plus full access to our help desk services 24/7/365.
EstesCloud ClientCare will ensure your valuable data is secure whenever and wherever it is needed.
Take control of your systems today.
ComplianceCare: Are you a medical provider under HIPAA or HITECH regulatory compliance? Are government auditors keeping you up at night? Our HIPAA IT Management Service will ensure you are HIPAA compliant.
For the health of your IT Enterprise.