Sarbanes-Oxley Act password requirements

What is SOX?

The Sarbanes-Oxley Act (SOX) was passed in 2002 by the United States government to protect shareholders and the public from accounting errors and fraudulent activities in organizations. SOX compliance requires public firms to identify and protect all financial management resources, including reports, applications, supporting systems, and services, according to the specified standards. Noncompliance can result in fines, imprisonment, or both.

What are the SOX password requirements?

SOX does not mention any specific requirements concerning passwords or identity authentication for financial systems. However, financial organizations aiming to achieve holistic compliance with SOX are encouraged to adopt the following password and authentication best practices.

1. Use longer passwords

Passwords longer than 20 characters are difficult to crack. Hackers have to try numerous different combinations and still might not be able to guess the correct password when it is long enough.

2. Avoid common passwords

Using common words and numbers like password, admin, or 12345 in passwords makes them vulnerable to compromise. Passwords like these can be easily guessed during a potential dictionary attack.

3. Use passphrases instead of passwords

Passphrases, in contrast to passwords, are longer and easier to remember yet harder to crack. It could be something like Purple skies @nd pumpk1n seeds! This meets password complexity requirements and is quite catchy, making it hard to forget.

4. Do not reuse old passwords

Reusing old passwords or fragments of them might be convenient for users to remember, but it significantly increases the risk of those passwords being compromised. To improve password security, it is essential to prevent users from reusing old passwords.

5. Avoid personal information

Using personal information in passwords, such as usernames and birth dates, makes it easy for attackers to guess and breach them. Users are advised to choose passwords that do not contain any personal information in them.

6. Go beyond passwords

Having unsafe passwords as the only defense strategy poses a huge risk to underlying resources. To enhance identity security, users should be authenticated with strong MFA methods—such as biometrics, TOTPs, and security keys—alongside passwords.

7. Reduce human intervention in password management

When password reset requests are sent to a help desk, there might not be an identity verification process to ensure that the request is legitimate. Moreover, when new passwords are given in plaintext over a messaging application, this increases the possibility of password theft. Self-service password management is a more secure, convenient option that overcomes such challenges.

Make SOX compliance easy with ADSelfService Plus

ADSelfService Plus enables your organization to implement password management best practices with ease using the Password Policy Enforcer. Using custom policies that can be applied to chosen users, groups, or OUs in AD, you can enforce specific password and authentication requirements for users with varying access privileges for financial resources.

• Custom password length: Enforce longer passwords by configuring the minimum password length.
• Custom password complexity: Customize the usage of uppercase, lowercase, special, Unicode, and numeric characters in passwords.
• Compromised password restriction: Block compromised and weak end-user passwords that have dictionary words, predictable patterns, and palindromes.
• Username restriction in passwords: Restrict users from including usernames or consecutive characters from usernames in their passwords.
• Password history settings: Prevent users from reusing a specified number of their previous passwords during password resets and changes.
• Adaptive MFA: Secure user access to sensitive financial data by enabling MFA for machines, applications, VPNs, and OWA. Choose from 20 different authentication methods, including biometrics, FIDO passkeys, and YubiKey.
• Self-service password management: Allow users to reset forgotten passwords and unlock their accounts without help desk assistance.

Benefits of using ADSelfService Plus to comply with SOX

• Enforceable OU- and group-based policies: Granularly enforce multiple password policies in the same AD domain based on OU and group memberships.
• Increased password security: Enforce passphrases and restrict consecutive repeated characters and common character types in passwords.
• Conditional access policies: Implement stringent MFA methods for suspicious resource access requests using conditional access policies based on users' IP, location, and time of access.
• Compliance with other regulations and standards: Comply with not just SOX but also NIST SP 800-63B, HIPAA, the PCI DSS, and the CJIS Security Policy using ADSelfService Plus.