Sensible Password Policy

I've been tasked with putting together the company security policy. As part of this I want to define what is a sensible but secure password (length, characters etc), how often they should be changed, length of password history and so on.

Obviously I need to balance security against practicality.

What do people generally consider a good password policy?

Solution 1:

Wikipedia has a nice summary on this topic

Common password practice Password policies often include advice on proper password management such as:

• never sharing a computer account
• never using the same password for more than one account
• never telling a password to anyone, including people who claim to be from customer service or security
• never writing down a password
• never communicating a password by telephone, e-mail or instant messaging
• being careful to log off before leaving a computer unattended
• changing passwords whenever there is suspicion they may have been compromised
• operating system password and application passwords are different
• password should be alpha-numeric
• make passwords COMPLETELY random but easy for you to remember

Suggestions from TU Delft:

Characteristics of acceptable passwords

• a password contains at least eight characters, and
• it contains at least one upper case letter, and
• it contains at least one lower case letter, and
• it contains at least one digit or another character such as!@#$%^&(){}[]<>... , and
• it is not a term in a familiar language or jargon, and
• it is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and
• it is easy to remember, for instance by means of a key sentence, and
• it can be typed in fluently.

Best practices for protecting passwords

• avoid the use of the same password for work and private life;
• regard all passwords as sensitive information, and do not share them with the accounts of colleagues, family members or other acquaintances;
• do not reveal passwords to colleagues, one’s boss or other acquaintances, neither in normal circumstances nor in the event of leave or sickness;
• do not mention any password in public, by telephone or in unencrypted communication;
• never note down a password in a freely accessible location;
• do not give any hints about the mnemonic used to remember your password;
• never provide information about a password in questionnaires or security forms;
• if misuse is suspected, then report this to the security organisation and immediately change all involved passwords;
• if someone wants to know a password, then refer him to this policy.

Solution 2:

With the proliferation of keyloggers and phishing attacks, it may behove your organization to consider alternatives to "strong" passwords. See Bruce Schneier's blog about the paper Do Strong Web Passwords Accomplish Anything?

I would strongly suggest using two-factor authentication. Between footballs, SecureID, and Yubikey, it is very easy and relatively inexpensive to implement a second factor of authentication.

Solution 3:

I like Passwordsafe for keeping track of passwords.

My suggestions:

• Encourage pass phrases, not words. A nonsense phrase made up of 3-4 words is easier to remember than 8 garbled characters.

• Set a reasonable maximum lifetime. From 3 to 6 months.

• Do not rely on 1337 speak to protect a password. Brute force dictionary attackers such as Crack have been doing letter->number changes for close to 20 years. But do require letters, numbers, upper- and lowercase and punctuation.

• Do not rely on non-english words words for security. Any fool can load multiple dictionaries into a program. Doesn't matter if he speaks the language or not.