Password Management Policy

Password Management

Many businesses must comply with some sort of federal mandate in regards to securing their customer or patient information.  These rules while extensive are very helpful in maintaining the security of your network.  Below is the standard policy surrounding password management.   We offer some solutions below the “Password Management Policy” for your team to maintain compliance.  Unfortunately, there is no way of enforcing these rules unless you are using a centralized management system for authentication like traditional AD or Azure AD.

Password Management Policy

Policy: We require the following password and credential management:

 

  • All passwords must be changed at least once every 90 days.
  • All production system-level passwords must be part of the Security Officer’s administered global password management database.
  • User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user.

 

Users must select strong passwords. Strong passwords have the following characteristics:

 

  • Be at least eight characters in length
  • Be a mixture of letters and numbers
  • Be changed at least every 90 days
  • Be different from the previous 6 passwords
  • Not contain the user’s userid
  • Passwords must not be inserted into email messages or other forms of electronic communication.

 

Note that poor, weak passwords have the following characteristics:

 

  • The password contains less than six characters
  • The password is a word found in a dictionary (English or foreign)
  • The password is a common usage word such as:
  • Names of family, pets, friends, co-workers, fantasy characters, and so on
  • Computer terms and names, commands, sites, companies, hardware, software
  • Birthdays and other personal information such as addresses and phone numbers
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, and so on
  • Any of the above spelled backwards
  • Any of the above preceded or followed by a digit (for example, secret1, 1secret)

 

Further, systems that authenticate must require passwords of users and must block access to accounts if more than three unsuccessful attempts are made.

 

Members of the workforce must follow these guidelines for passwords:

 

  • Don’t reveal a password over the phone to ANYONE
  • Don’t reveal a password in an e-mail message
  • Don’t talk about a password in front of others
  • Don’t hint at the format of a password, like, “my family name”
  • Don’t reveal a password on questionnaires or security forms
  • Don’t share a password with family members
  • Don’t reveal a password to co-workers
  • Don’t ‘hide’ a password within view at your work area, on a badge, or under a mouse pad or keyboard”

 

Password Management Q&A

You now know a business needs a password policy for it to maintain compliance but password management could be very beneficial in so many other ways.   Ask yourself…  “Do I have plenty of passwords to sites, subscriptions, bank accounts, and computers?  Do I struggle to keep up with all the passwords that are associated with my life or business?” The answer is most likely is yes unless you are completely off the grid living the lifestyle of a hermit.

More and more passwords and sensitive information related to those password credentials are accumulated as your digital foot print increases.  How can you be so sure that the platform you use is the most ideal and secure way for accessing your sensitive information?  There is no silver bullet for secured password management but we can discuss a lot of do’s and don’ts of password management.

Password Management Personalities

  • The pen and paper individual
    • This is the most common way. The paper typically gets lost and the notes on the paper become disorienting and nonsensical.  However, some people simply don’t use the computer enough or establish a proper workflow with the computer.   And therefore, the issues with using paper become just as bad in the digital world.
      • Recommendation: Pray for this person.  Document your own passwords if you work with them because this person is absolutely not dependable for password management.
    • Word or Google Doc individual
      • This is the second most common method for password management. I’ve seen a lot of people that use this method religiously but this workflow is a welcome mat for hackers to wreak havoc on your life.
        • Recommendation: Find a secured password management system.  We recommend a not as common platform.  Perhaps, non web dependent platform would give me a more warm fuzzy feeling of privacy and security.
      • The Phone App Password Management Program
        • This method is gaining a lot of momentum but with convenience, comes more security issues.
          • Recommendation: We recommend a not as common platform.  Perhaps, non web dependent platform would give me a more warm fuzzy feeling of privacy and security.

 

The Non Web Dependent Platform for Securing Your Passwords

There are plenty out there but one we have seen that is not heavily marketed or maintains a low profile in the market place.  It is secure and is pretty easy to use.  This management program we recommend is Keepass.  The Mac version that we recommend is Keepass X.

Keepass Illustration Tip For Mac

 

Keepass Does Not Sync

Yeah, yeah…  I know.  We have a workflow to prevent not too many headaches but here’s the ideal setup or workflow for you.

Keepass database file for Acme Widgets Inc

The individual or organization maintains their own copy called AcmePersonal.   Acme Widgets Inc. should simply request a updated database file emailed to them from time to time.   This database file is also known as the KDBX file.

How Do I View Passwords on My Phone

Use a cloud based app in conjunction with Keepass

See OneDrive, Synology Drive, Google Drive, DropBox, etc

 

Your IT Guy

They maintain a database file called AcmeIT or whatever name that will differentiate one database file from another.

Two Database Files for Keeping Passwords Safe

The IT guy maintains their own and you defer to your own for your own personal updates.  The two files can’t sync or merge but hey, it’s free; and people like it.  Again, have your IT guy email the latest and greatest database file.  Then save over the old IT database file.

The Do’s and Don’t(s)  of Password Management

  • Do keep meticulous notes
  • Don’t have old notes lingering as if they are current.  Place a Zzz to note they may be somewhat relevant but otherwise inactive.

Keepass – Before

 

 

 

 

 

 

 

Keepass – After

 

 

Password Management Policy Summary

Password management is not good for compliance but a healthy preventive measure against breaches of security.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *