We are celebrating World Password Day!

In an era where compromised accounts are occurring more and more frequently, the need to have secure password practices is more important than ever.

As a Managed Service Provider, part of our commitment to our clients is to help them be as secure as possible. As such, we will be recommending password policies for all network accounts for our clients.

What is a password policy?

A password policy is a set of rules that govern password use. These rules include things like number of characters required, maximum age of a password, how often a password can be reused, the complexity of the password, etc.

What are the recommended settings?

Recommendations will vary depending on who you talk to. There are differences of opinion related to whether longer passwords or more complex passwords are more effective. Most online services have some kind of password policy baked into the service, and that takes care of those. But for Windows accounts, many times there is no policy in place, and this creates a security weakness. In an effort to at least create a baseline upon which more specific policies can be amended, VentureNet recommends the following policy as the bare minimum.

  • Maximum Password age – passwords cannot be older than one year
  • Minimum Password age – passwords cannot be changed within one day of the last change
  • Minimum password length – passwords must be at least 8 characters
  • Password history – 24 previous passwords remembered, and these cannot be reused
  • Password Complexity – passwords must have characters from at least three of the following categories
    • Lowercase letters
    • Uppercase letters
    • Numbers
    • Special characters

Is this enough to keep us secure?

No one security measure is enough by itself. But by having specific policies that call for the passwords to be complex and change fairly often, you make your network that much more secure by not having a common attack variable that exists for a long period of time.

But having a password policy is also not the only thing to consider as far as passwords are concerned. Having a common pattern across all your user passwords is a huge security risk. This effectively makes it impossible to lock a previous employee out of your network. All they have to do is know the pattern, and know who some other employees are, and they can get right back in.

For example, you have an employee named John Doe and his password conforms to the company pattern of JD.s3cur3! like everyone else. John gets let go, but he knows what Jane Smith’s password is since it also conforms to the same pattern. So he logs back into the network with JS.s3cur3! and can wreak all kinds of havoc.

As a result, VentureNet highly discourages the use of a common pattern for user passwords. There is no reason to do this. As administrators of your network, we have the ability to reset passwords with minimal effort. If your user forgets it, it’s very simple to reset it. This is far better than the alternative of being unable to secure your network.

What else does VentureNet recommend for account security?

Another tool that should go hand-in-hand with a password policy is a lockout policy. This policy locks an account after a certain number of consecutive attempts and creates a delay before the account can be unlocked. How does this help? This discourages brute-force attempts at cracking your passwords as it takes much longer since they can’t try one right after another indefinitely.

VentureNet recommends the following policy for account lockout

  • Account Lockout Threshold – account will lock after 5 consecutive invalid login attempts
  • Account Lockout Duration – account will remain locked for 10 minutes
  • Account Lockout Reset time – the number of invalid login attempts will be cleared after 10 minutes

We also recommend considering a screen lock timeout. If the desktop screen remains unlocked indefinitely, then someone could sit down at someone’s computer and gain access to network resources with the full access permissions of the user they are pretending to be.

How do we proceed with implementing a password policy?

It’s simple! We are happy to assist with setting up a policy. We use Microsoft’s Group Policy to push the change across all accounts simultaneously. We can trigger a password reset and then the new passwords would be forced to adhere to the new policy. Contact us at 214-343-3550 to get started.