The Perfect Password Policy – Is There Really Such a Thing?

It’s easy to slip into bad password practices. I used a variation of the same password for years, based off of my cat. ‘MrMcFluffington’, ‘McFluff1999’, and ‘Fluffstyle’. Most of these were left unchanged for years.  So it should not have been the surprise it was when my social network accounts as well as my PayPal account were hacked. Luckily I only lost $170 dollars and a few virtual friends.

The damage to a company could be far worse if a proper Password Policy is not implemented.

The prospect of creating a company wide password policy may seem somewhat intimidating at first, but with a few simple guidelines, any business can easily create a more secure environment. Let’s take a look at some basics.

Keep Levels of Access in Mind

The first step in creating a successful Password Policy is understanding who needs access to what information. Your system should not be an open book for everyone. There’s absolutely no reason that the new summer marketing intern should have access to payroll records. Keep access restricted to what is required for the position. If the position changes or develops new responsibilities, then grant access only as needed. The in-house IT administrator or an outsourced network solutions company should be able to set up the proper access levels.

Change Often, Never Recycle

Companies are often dynamic and fluid places. This means that many people have access to the network and files over any given amount of time. A good Password Policy should have mechanisms in place to handle this. The last thing a company would want is to have a disgruntled employee out there with the passwords to sensitive materials. A good policy should allow for flexibility to change the company passwords when anyone leaves.

Because of the above example and other reasons, passwords should never be recycled. Once it’s time to say good-bye to an old password, let it go.

To Generate or Not to Generate

One question that often comes up is, “Should I generate passwords for staff or should they come up with their own?” Unfortunately, this question cannot be answered simply. Each company needs to look at the advantages and disadvantages of both practices and see what fits their needs.

Passwords that are generated by the user will most likely be easier to remember and less likely written down. At some point, we’ve all been at a terminal, frantically trying to recall the nuances of a complicated password. “Was that an ‘O’ or a ‘0’?” “Was that fourth character a ‘S’ or was it a ‘$’?” Allowing staff to create their own passwords may help alleviate some of these frustrations. The preceding tips will be helpful in their process.

  • Never use ‘password’ as your password. This actually happens… a lot.
  • Use at least 8 characters. A few more would be great!
  • Don’t let your desk give you away. If your work environment is a shrine to Admiral Ackbar, your password should not reflect this.
  • Do use a combination of Letters, Number, and Symbols. Get creative with characters. Substitute and ‘O’ for ‘()’. Just make sure you’ll be able to remember these changes.
  • Never use an existing personal password. Your business password should be unique from any others you use.
  • Change your password often. A company’s password policy may state that a password should be changed every ‘X’ days. It’s helpful to mark this date down in a calendar.

If, however, you like the security of generating the employee passwords, then there are a few simple tips that may make things go more smoothly.

  • Don’t make a password too complicated. The chances of an employee remembering, ‘mai_j()b_i$ThEgR8est-l00k#theGIAnnTsqurriel%86753O9-yine!’ aren’t the greatest.
  • Inform the user that their password has indeed changed. Yep, this happens as well.
  • Keep change dates on a regular schedule. Don’t wait three years to change the passwords only to change them again in three days.

Know Thy Company

At the end of the day, there is no such thing as a perfect Password Policy that will work for every business.  Work with IT and your network solutions provider to create a sensible and effective password policy that fits the company.

Once implemented, adjustments may be needed. Staying flexible and aware of the company’s needs will go a long way in securing important and sensitive information. The important thing is to make sure that a policy is put in place. It’s an easy thing to overlook when dealing with day to day business, but not having one can lead to costly consequences.