Pricing  Get Quote
 
 
Blog

Password policy best practices

Enforce stringent password policies with ADSelfService Plus

Written by Melvin MonachanPassword management4 min read

On this page
  • Password policies explained
  • Essential elements of a good password policy
  • Password policies and compliance
  • Do's and dont's while setting up password policies
  • Implement stringent password policies with ADSelfService Plus
  • People also ask

Password policies explained

A password policy defines the requirements and rules that users must follow when setting up and managing their passwords within an organization. These rules can vary between organizations and include criteria such as password length, complexity, age, and history. By enforcing a password policy, organizations ensure that users create strong passwords, reducing the risk of breaches caused by password-related attacks.

Essential elements of a good password policy

A stringent password policy is crucial for ensuring the safety and integrity of organizational assets and user data. The essential elements of a good password policy are given below.

  • Minimum password length: Enforce a minimum length for passwords (for example, at least 12 characters), as longer passwords are harder to crack.
  • Password expiration: Implement a password expiration policy that requires users to change their passwords regularly (for example, every 90 days). This helps in cutting down the risk of long-term access from compromised passwords.
  • Password complexity requirements: Encourage the use of a mix of uppercase letters, lowercase letters, numbers, and special characters. This complexity makes it difficult for attackers to guess or crack passwords.
  • Password history: Enforce a policy that prevents users from reusing their previous passwords within a certain number of cycles (for example, the last five passwords). This helps thwart the risk of using compromised credentials.
  • Multi-factor authentication (MFA): By implementing MFA, you are adding an extra layer of security to your account. This requires a second form of verification, such as a text message code or an authentication app, in addition to your password. Using a factor you possess (for example, YubiKey) or something inherent to you (for example, biometrics) ensures that only you can access your accounts.
  • Account lockout mechanisms: Set up account lockout procedures after a specified number of failed login attempts. This helps to keep brute-force attacks at bay by limiting the number of guesses a threat actor could make.

Password policies and compliance

Compliance regulations are regularly updated based on insights from ethical hackers and past security breaches. Here’s what these regulations recommend when it comes to creating a good password policy.

Compliance regulation Description Recommended guidelines
The GDPR (General Data Protection Regulation) The GDPR comprises collective standards to collect, store, and process an individual's sensitive as well as personal data.
  • Passwords should not contain words from the dictionary.
  • Old passwords must not be reused.
Learn more about the GDPR.
HIPAA (Health Insurance Portability and Accountability Act) HIPAA comprises standards that aim to protect the health-related information of individuals handled by organizations.
  • Passwords must be at least eight characters long.
  • Passwords must be unique but easy to remember for the individual.
Learn more about HIPAA.
The PCI DSS (Payment Card Industry-Data Security Standards) The PCI DSS comprises standards that businesses processing sensitive card holder data must comply with.
  • Passwords must be encrypted during their storage.
  • Users must be authenticated with MFA techniques in addition to their credentials.
Learn more about the PCI DSS.
The Essential Eight The Essential Eight comprises standards that aim to enhance the overall cyberdefense of organizations.
  • Users must be authenticated with MFA techniques in addition to their credentials.
  • Both admins and users should be granted the minimum privileges necessary to access resources based on their roles.
Learn more about the Essential Eight regulation.
CJIS (Criminal Justice Information Services) The CJIS guidelines comprise standards to protect the integrity of data pertaining to crime investigations.
  • Passwords must be changed every 90 days.
  • Passwords should not contain parts of your username or dictionary words.
Learn more about the CJIS.
SOX (Sarbanes-Oxley Act) SOX comprises standards to protect shareholders from financial fraud that occurs in organizations.
  • Commonly used passwords must not be used.
  • Users must be authenticated with MFA techniques in addition to their credentials.
Learn more about SOX.
NIST (National Institute of Standards and Technology) The NIST's guidelines comprise standards for creating strong passwords that are regularly updated based on data from ethical hackers.
  • Avoid providing hints to users while entering their passwords.
  • Password length must be given priority over complexity.
Learn more about the NIST.

Do's and dont's while setting up password policies

Effective password policies help in guarding organizational resources while ensuring users can easily adhere to the guidelines. The key practices to follow and common pitfalls to avoid when setting up password policies are given below.

  • Do not use commonly used passwords, like "Password," your name, or a dictionary word. Such passwords can easily be compromised by attackers using a dictionary attack
  • Do not use keyboard sequences or patterns in your password.
  • Do not use default passwords as these are the first ones that attackers will try in password-related attacks.
  • Do not use easily available information, like your date of birth, your phone number, or your license plate number. An attacker could be anyone, even someone who knows you well. Their instinct would be to use information associated with you to attempt a breach.
  • Use passkeys wherever possible.
  • Do not reuse passwords across multiple accounts, as it could lead to credential stuffing attacks.
  • Do not share passwords, even with your family or closest friends. You can never be sure who might turn against you.
  • Do not write your passwords anywhere, be it online or offline. If you find it difficult to remember your passwords, use a password manager instead.
  • Change all your passwords every 90 days. Make sure you do not set a password that was already set by you in the past.

Implement stringent password policies with ADSelfService Plus

ADSelfService Plus is an identity security solution with MFA, SSO, and password management capabilities. It provides a Password Policy Enforcer feature that allows you to enforce custom password policies that seamlessly integrate with AD's built-in password policies. These custom policies offer more granular control than AD natively provides, including intricate settings such as restrictions on custom dictionary words, palindromes, and character repetitions. ADSelfService Plus also integrates with Have I Been Pwned to help prevent your users from using breached passwords. Additionally, by implementing MFA alongside a stringent password policy, you can further enhance security, ensuring that even if passwords are compromised, unauthorized access is still prevented.

Enforce stringent password policies in your organization now.
Get your free trial

People also ask

What is meant by password policy?

A password policy defines the requirements and rules that users must follow when setting up and managing their passwords within an organization. These rules can vary between organizations and include criteria such as password length, complexity, age, and history.

What is an example of a good password policy?

A good password policy requires users to set passwords that are at minimum 12 characters long and include a combination of numbers, symbols, and both upper and lowercase letters.

What is an example of a bad password policy?

A bad password policy allows users to set passwords with a maximum password length limit. This is not recommended as longer passwords are more difficult for attackers to crack.

Why is a password policy important?

A password policy is important as passwords serve as the first line of defense, making it harder for attackers to access sensitive organizational information through various password attacks.

 
 

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link