Every organization needs a password policy. A poorly chosen password may result in unauthorized access and/or exploitation of your organization’s resources. A policy coordinates all users about how they create and maintain passwords. But what should the policy contain?

The main elements are standards for creating strong passwords, protecting passwords, and how often to change them. The policy also needs to spell out to whom it applies, which is basically everybody in the organization with access to any of its computers, its network, or its confidential machine-readable information.

In general, the specific practices in the policy should include changing all passwords every three months, keeping all production system-level passwords in an encrypted password-management database, and creating and maintaining user-level passwords according to specified guidelines.

Guidelines for Creating Passwords

Here are some guidelines for creating passwords.

• Passwords should be at least 15 characters long and contain a mix of at least three character types. These types include lower case, upper case, numbers, punctuation marks, and special characters like )(*&^%$#@!
• Passwords should not be words found in a dictionary, names, birthdays, phone numbers, addresses, word or number patterns like aaabbb or 123321, or other similarly weak passwords. This includes any of the former spelled backwards. A word preceded or followed by a digit is not strong enough
• Passwords should be memorable but still very hard to crack. One method is to pick a phrase and then rewrite it in abbreviated form. A famous example, which you should not use, is to write the phrase “This May Be One Way to Remember” as “TMB1w2R!”

Protecting Passwords

Beyond creating passwords, the policy should include standards for protecting them. Here are some good guidelines.

• Users should create different passwords for organization-related uses and personal uses.
• Don’t share passwords with ANYBODY or speak about them in front of ANYBODY! This includes not putting them on questionnaires or security forms.
• Don’t write passwords down or store them on line, unless they are in an encrypted password management system.
• Don’t use the “remember password” function of browsers or operating systems for organization-related passwords.
• If you think a password has been compromised, report the issue to IT immediately.

Did I cover everything? Leave a comment with suggestions for what else should be in the policy. And if you would like to see a model policy in more formal language, email me at t.haight@cgnet.com.