Create and enforce a password policy across the enterprise

How to create an effective password policy

To enforce a password policy effectively, IT must create universal rules across the network. That means setting a minimum character count of eight to 12, requiring certain levels of complexity within the password, enforcing stringent history requirements and more. It also means applying those password policies to Windows domains, databases, local Windows user accounts or anything else that requires authentication. Multifactor authentication can certainly help, but it's rare to see that level of granular control network-wide.

One of the most consequential password security policies is how often users change their passwords. IT administrators should enforce a password policy that requires users to change their passwords every 30 to 90 days. They should also bear in mind that password change requirements are not particularly effective if password length and complexity requirements are not in place as well.

For example, some IT admins believe they can get away with only six or seven-character passwords if their users change their passwords more often. Technically speaking, there is some validity to having shorter and less complex passwords that users change often, but that approach has been refuted over the years, including in the National Institute for Standards and Technology password guidelines.

The real challenge with making users change their passwords so often is the users themselves. It's easy for IT admins to come up with a password policy and assume everyone will abide by it, but that's not the reality.

In reality, to enforce a password policy that requires users and executives to change their passwords makes them see IT and its security efforts as a barrier to getting work done. If the animosity gets bad enough, IT might try to enforce more reasonable password policies, but the outcry from users could become so bad that executive management will have to force IT to roll back the requirements.

In other cases, executives could request that certain staff members or departments -- including themselves -- be exempt from password policies because the existing policy is too inconvenient. In any case, if IT is forced to roll back the network-wide password policy, all user accounts will be less secure.

Enforce a password policy now so that network systems don't continue to be a part of the problem.

It's easy for IT admins to get frustrated with users and management in these situations, but the reality is, there's something bigger at play here -- a lack of communication and education. IT must be aware of this and be willing to not only make a good case as to why it wants to enforce a password policy a certain way, but also be willing to ratchet things down when it gets pushback.

Look at the bigger picture

If there's anything IT admins can learn from all the incidents and data breaches going on nowadays, it is that no matter how secure they think they are, there's always more they can do. Weak and default passwords still make up a significant number of security events and breaches. Enforce a password policy now so that network systems don't continue to be a part of the problem.

To do so, IT admins should look at the bigger picture of how they're controlling account access. It's probably not as effective as they think it is. Password standards and policy enforcement must go beyond Active Directory for the enterprise to see true change.

If IT admins have an upcoming security assessment, such as a vulnerability and penetration test, they should think about making it a password-centric review. Look at the network from every possible angle, including production systems and development and testing systems both locally and in the cloud.