Posted by Peter Bassill on 05/01/2021Password Policy
When you talk about Cyber Security Policies to your staff I would guess you will see them quickly glaze over and moan about passwords. Passwords are the single biggest fundamental flaw of security. They do not work. So let me explain.
Back in 2008, at one of Ed Gibsons Microsoft CISO councils meets, I said passwords are flawed and people need to stop using them. You see, IT departments had made it REALLY hard for users to remember passwords and really EASY for systems to break them. When a user has an 8 character password with upper case, lower case, numbers and special characters within it, users are going to find the easiest way to comply. Fast forward to today, 2021, 13 years later, and still we see the same bad password policies being enforced just now the minimum length is 10 or 12 characters.
How should be use passwords (Password Construction)?
Lets start with dropping the word password. That implies one single word. Lets use passphrases. Like I said back in 2008, drop all the complexity and teach users how to make a memorable passphrase. After all, if my mum can you do it, so can professional computer users. So how to create a passphrase? Here is my advise from 2008 which is still my advise today.
Take 3 random words that you KNOW you will remember.
Put them together. Job done. Here is an example:
The change period for passwords, sorry phrases, is something that can be argued from sun up to sun up. My rule is:
Domain Admin passwords: Use a password manager, set to 32 characters, leave well alone
Users with Administrative Privileges: Change every 180 days
Normal Users: Change when the password is suspected to be known
Two Factor Authentication
A lot has changed in 2FA technology over the last 10 years. I have always been an advocate of something you know and something you have and still use a yubi key and proximity card to provide three factor authentication. Something I know (my passphrase), something I have (my yubi key) and something I am (my proximity chip). Of course, that is a level of authentication that far surpasses what organisations will ever implement, but standard two factor (2FA) is so prevalent that it can be used everywhere.
Where should 2FA be used?
From a policy perspective, I would be mandating 2FA use for:
access to all cloud services (email, O365, salesforce, hubspot, cloud storage etc)
logging into workstations
accesses key business information systems
Download the Template Policy