To raise awareness and encourage online safety, October has been established as Cybersecurity Awareness Month. In keeping with this theme, here’s the top 10 password policy recommendations from Centre for Internet Security (CIS) that will help keep your data secure.
- Password Length (Min): This is the system enforced minimum number of characters in a valid password. For password only accounts, set to 14 characters and encourage and teach passphrase use.
- Password Length (Max): This is the system enforced maximum number of characters in a valid password. Set this to no limit.
- Password Composition: This is the system enforced character makeup of a valid password (allowing or disallowing certain character types, or numbers of certain character types). You should allow all character types in a password. For password only accounts, require at least 1 non-alphabetic character.
- Password Expiration: This is the system enforced number of days a password remains valid (forces a password change). You should change immediately based on events, with a one-year expiration “backstop”.
- Password Banning: This is the system enforced check on new password creation against an internal deny list of known bad, weak, or recently used passwords. Recommended settings are Top 20 or more common bad passwords checked on new password creation, previously used password list set to last 5 or more, and password change delay set to 1 day or more.
- Session Lock When Idle: This is the system enforced duration before locking the current session when it is idle (no user activity). Set to 15 minutes of idle time or less and the Session Lock login should be the same type as the normal account login.
- Limit Failed Login Attempts: This is the system enforced login delay or account lockout based on consecutive bad login attempts. Settings should be temporary account lockout (15 minutes or more) after 5 consecutive failed attempts or time doubling throttling (in minutes) between each retry (0, 1, 2, 4, 8, etc.). In both cases a permanent account lockout (IT reset required) after 10 consecutive failed attempts.
- Monitor Failed Login Attempts: This logs and continuously monitors bad login attempts. Alert key personnel when above login limit is reached.
- Suspend Accounts on Non-Use: This suspends the account if it is not being used. Automatically suspend the account after 45 days without a valid login.
- Password Hints (Login): This is the system allowing user defined password “hints” at login. It is not recommended.
Doing each of these things will reduce risk but in the end CIS strongly recommends using a password manager which stores randomly generated passwords together with the use of Multi-Factor Authentication (MFA) wherever feasible, since it eliminates the total reliance on passwords for account security.