It’s been said that a password management should be treated like a toothbrush – don’t let anybody else use it and get a new one every six months.
While this may be true, passwords require a little more than that. For example, a password policy and password management solutions need to be in place to protect organizations from having authorized personnel use easily guessed, or easily hacked, passwords. This serves as one line of defense for protecting organizations, along with customer information they manage, from unauthorized access due to weak passwords. Password policies and management is the focus of pitfall #32 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Password management systems should be interactive. They should be configured to ensure only quality passwords are being used. All users should be made aware of their responsibilities for maintaining effective access controls. Users should be required to follow best practices for the selection, use, and maintaining the confidentiality of passwords. All passwords should be encrypted both in storage and in transit. Password configuration settings are almost always going to be reviewed for appropriateness and effectiveness during any audit, assessment, or exam of your organization’s internal security controls.
One example of an effective, yet often overlooked, password policy is keeping a current list of the most common passwords (and their variations) within the organization. These commonly used passwords become expected, easily guessable, and may be easily compromised in the near future. This list should be refreshed at least annually and added to a DO NOT USE list. More frequent updates should be made if passwords within your organization are suspected to have been compromised or if less than amiable personnel changes have taken place. This password policy can save your organization the time and embarrassment of dealing with unauthorized access from terminated employees or freelancers who are no longer contracting with your company.
It is strongly recommended that your organization provides training on the selection, along with the safeguarding, of passwords. This could be included as part of your annual security awareness training or could be executed by simple email reminders on password best practices. Technical controls may enforce password composition requirements but providing training to your personnel supports the overall goal of password ,threat, and vulnerability management. Whatever training or email reminders are provided should be retained as evidence of the training provided to support the validation of this control being in place.