Data Management
Information Technology

Update Your Password Policy

One of the most basic cybersecurity steps an organization can take is to update their password policy. Updating password policy is a crucial step in safeguarding your first line of defense, as outlined in many compliance frameworks.

The days of a singular password for all applications and logins are long over, though some organizations have not implemented compliance policies for this simple but effective security step. Good password policy guidelines include tenets like passwords should never be duplicated and should meet complexity requirements to prevent brute force attacks. These requirements should be verified on a regular basis through a password audit or automated password vulnerability scan. We recommend utilizing password managers and multi-factor authentication (MFA) as a part of your password policy will simplify these processes for all users and aid in the uptake of these requirements.

Adding multifactor authentication is one of the easiest ways to significantly improve your security posture. MFA takes advantage of a three-legged approach to security:

  1. Something you know: Password or PIN
  2. Something you have: Physical key or authenticator device
  3. Something you are: Fingerprint or face scan

Using two or more of these “legs” will significantly improve protection of your company’s data, your customers’ data, and generally secure your business-related accounts. You may be familiar with authenticator apps used to confirm your identity prior to logging in to certain portals. (A text message MFA is notorious for involvement in cyber-attacks, so switch to an authenticator app if you can!)

Thankfully, many organizations are already paying for the tools to access MFA, and if not, there are affordable options to add this to your existing infrastructure. For example, Microsoft customers likely have access to MFA options which integrate into existing Windows infrastructure and single sign on configurations that can be added to existing applications. Additionally, these built-in features can be augmented to meet stringent compliance requirements like Cybersecurity Maturity Model Certification 2.0. Other organizations that use business suite software like Google Workspace have similar tools built-in and ready to implement. For small teams, this may be as simple as turning the MFA option “on.” For larger organizations, some special configurations may be necessary.

Another aspect you may need to consider is if an existing compliance framework dictates aspects of your password policy. For example, the National Institute of Standards and Technology (NIST) recommends longer passwords (16+ char.) and the option to never expire. This was found to be more secure and a better practice than forcing shorter passwords that expire every 30-90 days. (NIST 800-63B Section

Passwords managers can also be important tools to help navigate password fatigue--the feeling of frustration a user can feel when they are forced to create yet another password, forget what passwords are for which application, and create pinch points in workflows. Allowing this fatigue to exist unmitigated can lead to users skirting the rules and creating vulnerabilities (think: turning off password protections so they no longer have to log in or making easy passwords so they are remembered easily).

Creating and adhering to a password policy are two separate issues. Be sure to create a policy that is easy to follow, then utilize your information technology (IT) department and tools to ensure adherence to the policy. Layering an MFA or single sign-on methodology can complement your password policy, ease uptake for your users, and reduce the level of password fatigue experienced.