It’s been said that a password management should be treated like a toothbrush – don’t let anybody else use it and get a new one every six months.
While this may be true, passwords require a little more than that. For example, password management solutions need to be in place to protect organizations from having authorized personnel use easily guessed, or easily hacked, passwords. This serves as one line of defense for protecting organizations, along with customer information they manage, from unauthorized access due to weak passwords. Password management is the focus of pitfall #32 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Password management systems should be interactive. They should be configured to ensure only quality passwords are being used. All users should be made aware of their responsibilities for maintaining effective access controls. Users should be required to follow best practices for the selection, use, and maintaining the confidentiality of passwords. All passwords should be encrypted both in storage and in transit. Password configuration settings are almost always going to be reviewed for appropriateness and effectiveness during any audit, assessment, or exam of your organization’s internal security controls.
A list of commonly used, expected, easily guessable, or compromised passwords should be obtained by your organization. This list should be refreshed at least annually. More frequent updates should be made if passwords within your organization are suspected to have been compromised directly or indirectly. This list simply contains passwords that have been confirmed as being compromised and should be prevented from use by your organization.
It is strongly recommended that your organization provides training on the selection, along with the safeguarding, of passwords. This could be included as part of your annual security awareness training or could be executed by simple email reminders on password best practices. Technical controls may enforce password composition requirements but providing training to your personnel supports the overall goal of password management. Whatever training or email reminders are provided should be retained as evidence of the training provided to support the validation of this control being in place.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.