DigiCert Blog

Creating Strong Password Policy Best Practices

Admins need to create and enforce strong password policies in their organizations, as well as educate their users on what constitutes a strong password.

Strong Password Policy

With more of our private communication, financial transactions, and health care information being stored online, the accessibility of this information to users comes with serious security risks. A strong password policy is the front line of defense to confidential user information.

Administrators today play a more critical role than ever in educating and ensuring that users are aware of the security risks they face, and that they need to use strong passwords as a first line of defense from scammers and hackers.

Technology should facilitate, not complicate

Technologies like one-time passwords, client certificates, smart cards, and biometrics can add layers to account security. Two-factor authentication combines multiple layers of security enhancing the security of the system. The more critical the system, the greater number of layers of authentication it should include.

However, the traditional password still remains the primary method of user authentication. And, despite the number of layers included in the system, they all generally rely on a username and password combination. When creating a password policy, administrators should focus on these three key elements:

1) Understand what a Strong Password Policy Is

A password policy is a set of rules which were created to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. Normally, a password policy is a part of the official regulations of an organization and might be employed as a section of the security awareness training.

Although most users understand the nature of security risks related to simple passwords, there’s still frustration when users are required to spend time attempting to create a password that meets an unfamiliar criteria or attempting to remember a previously created strong password.

2) Enforce Using Strong Passwords

Passwords are a first line of protection against any unauthorized access into your personal computer. The stronger the password, the higher level of protection your computer has from malicious software and hackers.

A strong password isn’t just about one password, it’s important that you guarantee strong passwords for each account that you access through your computer. When you are utilizing a corporate network, the network administrator may encourage you to use a strong password.

To be able to create a strong password, you should be aware of the criteria to create make one. These criteria basically include the following:

  • A strong password must be at least 8 characters long.
  • It should not contain any of your personal information—specifically your real name, user name, or even your company name.
  • It must be very unique from your previously used passwords.
  • It should not contain any word spelled completely.
  • It should contain characters from the four primary categories, including: uppercase letters, lowercase letters, numbers, and characters.

3) Educate Users to Manage Their Strong Passwords

Having a password like “eC<My!chO,quaj^of)naD}uM}rIew>Ap[Ek}E*quaC.eib(Tyb” is VERY secure. It contains most every element of a strong password. But how many users will remember a password like this? Chances are a strong password like this is written down on a piece of paper taped to the user’s monitor, underneath their keyboard, or sitting in top their desk drawer. It might be even hidden among the random items on the user’s desk.

User can instead relate their passwords to things they can easily remember, like a favorite sport or hobby. For instance, “I enjoy playing basketball” can be “IEnjoiPlay!ngB@$k3tb@ll11”. Secure and also easily remembered by users.

Password management software takes the hassle out of managing strong passwords. For less than the price of a soda, you can easily create and manage strong passwords (I personally like the 50 characters with numbers, symbols, and of course mixed with upper and lower case letters). But the combinations are numerous and by just remembering one main strong password, you can rely on a password manager to take care of the rest.

Creating Strong Password Policy Best Practices

A password may follow the traditional guidelines yet still turn out to be a weak password. Users who can’t remember their strong passwords and end up writing them down or constantly having to reset their passwords undermine the benefits of a strong password policy.

Passwords are one piece of the security puzzle in the enterprise. Keeping user accounts secure takes a combination of a thorough process for strong password creation and an easy to use system for users to follow to keep those passwords safe.

Share on Facebook1.8kShare on Google+3Tweet about this on TwitterShare on LinkedIn4

About Flavio Martins

Flavio is the VP of Operations at DigiCert. He's a marketing and customer service leader and strategist. Flavio was named by Huffington Post as a Top Customer Experience Pro and by ICMI as a Top 50 Contact Center Leader. Follow him on Twitter @flavmartins or Google+ @FlavioMartins

  • Daniel Wells

    I keep looking for password best practices, and they are all about the same. What I am not seeing is how the whole BYOD and wide open remote access should effect password policies. For instance, if users are given the ability to access the corporate network from any device (personal home computers, kiosks, hotel business centers, etc.) should the period between password changes be shortened?

  • Christo Mirchev

    OK, here are my 5 cents about pushing ‘strong password’ policy.

    The strong password policy requires you choose a password that is very hard to guess. Obviously, you don’t want to use the same password you use for your online banking so, you come to something like ‘@4$d#KK_s23&&33s’. You enter this ‘hard-to-guess’ password and your browser or service client ‘remembers’ it. Now you are good to go for any subsequent logins… In a week or two, you want to login to your account from another device but unfortunately you can’t remember your password (strangely why :P). What happens next is you start entering all your hard-to-guess passwords trying to make it work, and thus you give up all your precious passwords to that service (of course not before passing through some ‘security’ filters) which store all your ‘wrong’ passwords ‘just in case’ for your own ‘protection’.

    Further…
    The proud customer-carrying provider A states ‘Trust us your personal data, we shall never betray you and your private data (as far as you are loyal to us)…’. The proud customer-carrying provider B states ‘Trust us your personal data…’… The proud customer-carrying provider C states ‘Trust us your personal data…’.
    … The problem is most of these providers are competitors. Competitors are not loyal to each other, they are enemies. Your know ‘… the friends of my enemies are my enemies.’… The result is you ‘the loyal customer’ have become an enemy to all providers, you and your private data are now subject to any options and actions…

    Please pardon my language. English is not my mother tongue.

  • Pingback: 5 Reasons To Keep Your Online Data Secure | Internet Billboards()