Perhaps your organization has a corporate password policy that needs improvement, or your boss just asked you to draw one up from scratch. Before you take the next step, here’s a list of password best practices to make sure you cover all your bases.
P.S. We’ve also scoured the internet for user password stories (some funny, some plain horrifying) to collectively laugh-cry over. The next time you see your CEO write his password on a Post-it and feel your blood go cold, know that you’re not alone.
What is a corporate password policy?
A corporate password policy is a set of rules and regulations that govern the creation, storage, use, and management of passwords in an organization. Your corporate password policy can be a standalone document or integrated into your overall company IT policy.
Use multifactor authentication (MFA)
Here’s the irony: passwords alone aren’t enough to keep your data and systems safe from bad actors. Everyone knows how easily passwords can be stolen or hacked. Implementing multifactor authentication, like a time-based one-time password, provides an additional layer of password security and protection that’s much harder for hackers to access.
Use single sign-on (SSO)
Implementing single sign-on not only makes it easier for you to enforce strong password policies and manage access controls, but it also offers a better user experience since employees only need to enter their login details once. “SSO is considered a best practice because it uses more secure authentication, and it's easier for sysadmins to implement and control least privilege," says Rachel Coleman, senior SOC analyst at PDQ.
MFA vs. SSO: What’s the difference?
MFA is an authentication method that requires users to provide more than one proof of their identity when they log in to a device, app, system, or network. SSO is a process that allows users to log in to multiple accounts with a single set of credentials. You can implement SSO and MFA together to strengthen your organization’s password security.
Don’t allow the use of personal information
Your corporate password policy should not allow users to generate passwords using their personal information — especially with social engineering attacks like phishing becoming increasingly commonplace. That includes birthdays, the names of kids/spouses/favorite homeroom teacher, or their secret superhero identities.
Prioritize password length over complexity
If your password requirements are too complex, users might get frustrated and end up settling for a weak password. Instead, consider prioritizing password length over complexity. Research shows that an 18-character unique password — even if it only contains numbers — would still take 9 months to crack. And while a complex password is good for security, remember the Goldilocks Rule and keep your complexity requirements reasonable.
“I did a phone system upgrade for a bank many years ago. The bank had crazy password requirements: no SSO, couldn't use the same password on multiple systems, min length was like 12 characters with a mix of upper/lower/number/symbols, and they had to be changed every 30 or 60 days. The result? Every keyboard in the building had a sticky note under it with a list of passwords. These were passwords to systems that could transfer millions of dollars anywhere in the world, just written on sticky notes.” — dalgeek
Encourage the use of passphrases
Passphrases, unlike passwords, easily fulfill both security and usability requirements at the same time. An average passphrase comprising five random words — even without using a single special character — is difficult to crack, yet relatively easy to memorize and type out. In contrast, a unique password with a minimum password length of 15 to 20 characters, including upper and lowercase letters and special characters, is far less user friendly.
Use a password manager
When it comes to password management, password managers are still your best bet. (Who knew, right?) But according to an industry survey, 57% of employees still save their passwords on sticky notes and 49% save them in unprotected, plain-text documents. Yikes.
To avoid this cybersecurity nightmare, your corporate password policy should mandate the use of a password manager for password creation, storage, and retrieval.
Don’t allow password sharing
It may be perfectly acceptable for employees to share their Netflix passwords with everyone and their mother, but sharing the password to company accounts should be strictly forbidden. Passwords should be treated like a pair of socks: No matter how much you love someone, you wouldn’t share your socks with them. (No judgment if you do. (Well, maybe a tiny bit.))
“At a previous job, a co-worker had a live webcam trained on his authenticator token, open to anyone who had the URL.” — malikto44
Don’t allow password reuse
We’re all for recycling, just not when it comes to user passwords. Yet, 64% of users do reuse their passwords, increasing the cybersecurity risk to their organizations. As a password best practice, don’t allow password reuse. And remind users that just changing a single letter or character doesn’t count. If in doubt, you can use password checkers to verify if a selected password has been previously exposed to a data breach. Or check it against this GitHub list of the 100,000 most used passwords.
Keep a blocklist of bad or weak passwords
Keep a blocklist of weak or compromised passwords to prevent anyone from using them. According to the National Institute of Standards and Technology (NIST), the list should contain the following:
Passwords that have been breached
Dictionary words
Repetitive or sequential characters
Words associated with a specific context (e.g., the company name)
Secure privileged users
There’s a reason why cybercriminals target top executives, their data, and their devices. The intern may be an easier target, but it’s the CEO that’s the big fish. Secure privileged users in your organization by implementing additional password security measures like stricter password requirements, requiring an administrator to unlock locked accounts, and conducting regular security audits.
“I once saw an executive, in the middle of a meeting, swipe to approve an MFA request. Note his laptop was still in his bag. When I asked him, he said, ‘Oh that’s my PA signing in as me.’ I nearly fell off my chair.” — AppIdentityGuy
Don’t impose password expiration
NIST password guidelines also recommend doing away with password change rules unless there are signs that security has been compromised. Remember that most users are easily frustrated and confused by anything IT related. So, forcing a password reset every 60 or 90 days is not only potentially frustrating to users, but it also increases the risk of them misplacing or forgetting their passwords.
Communicate with users
Effective IT communication is important but not always easy to get right — especially when you’re targeting a non-IT audience on a topic that’s not particularly riveting. Some useful IT communications tips include using jargon-free language and keeping the message simple and direct. Consider delivering your message in short, engaging snippets so that it’s more likely to stick.
If your organization has a strong security culture, you're already set up for success when you communicate with your users because you'll have their buy-in.
Practice good account and password management
A strong password policy also includes good account and password management practices. For instance, you should always require new users to change the default password to their accounts, and always delete accounts that are no longer in use.
“My university uses your birthday for an important account and does not force any change on first login… Oh, and the username is printed on your student ID card.” — playwrightinaflower
Consider relevant guidelines
While organizations should have strong password policies, you may have to take into account specific guidelines or standards that apply to your business. Here are some common ones:
Country or region specific
Industry standards
When developing your corporate password policy, it’s also important to consider the needs of employees with disabilities or who are neurodivergent. Usability testing is a good way to identify any existing gaps or challenges they face (e.g., with certain authentication methods) so that you can make appropriate adjustments.
Enforcing a strong password policy can reduce a key security risk to your organization — human users (and their questionable password habits). But we also know that a sysadmin’s work doesn’t end there.
Whether you’re rolling out new devices or migrating to a new Windows operating system, SmartDeploy can help you keep things secure and efficient — for on-site or remote users alike. Try SmartDeploy’s computer imaging software free for 15 days to see how it works.