Passwords are often the last line of defense your business has for protecting sensitive information from hackers and thieves who would like nothing better than to gain access to company trade secrets or bank accounts, and the list goes on. In many cases the information at risk is also legally protected. In addition to customer loss and reputational harm, a data breach involving personally identifiable information (PII) can lead to significant fines. Implementing a password policy is one of the easiest and most affordable ways to increase security of your network. Here are 7 steps meant to make your user accounts and passwords more effective and your business more secure.
Step 1: Require Unique Accounts
All users should be assigned a unique user ID and password in order to gain access to internal network resources. Generic or shared user accounts are a security risk and should not be used.
Step 2: Require Complex Passwords
No more pet’s names or your favorite football teams! A real password should be alphanumeric and include upper and lower case letters or some special characters.
Step 3: Enforce Minimum Password Lengths
The longer a password is, the harder it will be to crack. Opinions among security experts vary, but your organization should require passwords to be a minimum length of at least 8 characters.
Step 4: Require Password Changes
By requiring password changes on a regular basis, there’s less chance a compromised password will do as much damage. Most experts recommend enforcing password changes at least every 90 days.
Step 5: Prohibit Reusing Passwords
Password changes are less effective if users are able to reuse them. Implementing a password history policy will discourage users from alternating between the same passwords.
Step 6: Enable Account Lockouts
Many passwords are compromised by remote attackers using automated scripts to attempt thousands of common passwords in succession. Enabling account lockouts after a predefined number of unsuccessful logins renders these attacks useless.
Step 7: Enable Account Auditing
Enable account auditing so that login events, both successful and failed, can be monitoring by IT personnel to identify and resolve possible security threats.
A password and account management policy is only one small part of a successful approach to network security within your organization. Please contact us for more information or to schedule an appointment with one of our IT professionals for a network security assessment.