Four password policy rules that lead to better cyber security

| Sieuwert van Otterloo | Security

A good password policy is one of the simplest and most important security measures one can take. In this article we describe the four rules that any company should include in their security policy, especially if they want to comply to the ISO 27001 standard.

A password policy is a set of rules about the proper use of passwords. Each person typically has his or her own personal password habits. Many of these habits, such as using one simple password for many services, for a security risk. Many organisations that are implementing ISO 27001 or another information security standard, therefore decide to created a standard set of rules for all staff. These rules define how any staff should choose and manage the passwords they use for work. If everyone follows these rules, this eliminates many security risks.

Password policies and rules are important because weak passwords are a major issue during many cyber attacks. Weak passwords are either the cause of a breach or make the breach much worse. Creating a password policy requires no investment whatsoever: it only takes some time for communication. The effect is often immediate: after the policy is implemented the organisation is much more resilient to many types of cyber activities.

Four simple password policy rules

If you follow these four password rules or put these in your password policy, you immediately will have a much higher level of security.

1: no short passwords

Short passwords are not safe because it often happens that hackers obtain files with encrypted or hashed passwords. Hackers can retrieve these encrypted passwords by trying out all short and common passwords. There is a lot of debate around the required minimal length of passwords, but no agreement amongst experts. One view is that a password is good enough if it has at least 8 characters, including at least one digit and a symbol. Many experts however have switched to longer passwords due to an increase in computer strengths: for important passwords, at least 12 or 20 characters are recommended. Security expert Bruce Schneier offers some explanation about the math behind password length and security. Of course longer passwords are hard to remember, hence our next advice.

2: Write passwords down or use a password manager

People have so many passwords that it is impossible to remember them all. A paper booklet is a very safe place for passwords, as cyber criminals cannot access it remotely.

3: Never use the same password for two services

It is tempting to use one password for many different types of services. However this creates a huge risk of contagion of cyber attacks: if the passwords from one service are stolen, criminals will try to use the same password on other services. An attack against twitter is thus often used for attacks on google, amazon and apple. The only way to protect yourself against these attacks is to choose a unique password for every service.

Rule 4: Change passwords every year

In theory, strong passwords do not have to be changed as they do not degrade. In practice however, password related data often leaks and will eventually fall in the wrong hands.As noted before, passwords lists are sometimes stolen by hackers. A recent example is a Linked In data breach where millions of old passwords were leaked. In other cases companies no not dispose of old hardware correctly, or users themselves loose their old phone with a lot of old passwords in it or on it. It also happens, even though this is not recommended, that passwords are shared with colleagues. For all of these reasons, it makes sense to limit the lifetime of passwords. Some companies force users to change passwords every three months. This is however not useful, since it annoys users and leads to weak and predictable passwords. We recommend a more sensible policy of changing passwords every year.


Recommended practice: password managers

As we stated in rule number 2, it is possible to use a password manager for storing passwords. Such a manager uses one very strong master password for storing a whole range of other passwords. Examples of good password managers are:

Implementing a password policy

Rules for good passwords are only one aspect of a good security policy. Many companies that we help with security, are setting up a complete Information Security Management System, using either ISO27001 or another standard. Within such a system, the password rules are included in a security awareness training that is mandatory for all staff. Rules about passwords are also often included in security guidelines that all staff receives. In a previous post we discussed how to get started with an information security policy. The password policy is something we would use as an example when involving the staff.

Should you need further information, contact the security experts from ICT Institute . We can either help setting up an ISMS and organise trainings, or conduct an informal audit to verify whether an ISMS has been implemented correctly.

Image source: Wikimedia commons, psyomjesus

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.