An array of information being stored online comes with major security risks. Therefore safeguarding data is an important consideration at any organization. And the security of your data relies heavily on the strength of your users’ passwords. The stronger your passwords, the more secure your data! It is important for administrators to drive a strong password policy enforcement, as it is the first layer of defence against black hat hackers and scammers.
A password policy is a set of rules created to upgrade an application’s security by requiring its users to frame a strong password and to utilize it in an appropriate way.
Why is Securing your Border Vital?
In today’s scenario setting up unique passwords for multiple applications is a burden for any user. Most users rely on using a single password for multiple applications, which can put the organization’s data at risk.
This makes implementing a strong password policy essential in protecting your data. Additionally, setting a Password Policy forms a part of the policies or rules for an organization to comply with ISO and PCI certifications.
Top Four Factors for Password Policies
Enforcing a strong password policy in an organization is an uphill task. There are some fundamental norms which are followed by a majority of organizations.
1. Length: The longer the password, the more difficult it is to crack. Set a minimum of 8 characters for your users’ passwords.
2.Complexity: The level of security depends on the complexity of the password framed. Passwords must have a mix of uppercase characters (A-Z), lowercase characters (a-z), numbers (0-9) and punctuations ( eg. !, #, $,*).
3.Expiration: A best practice in improving password security is to have a periodic password expiry. Most often the validity is 30/45 days and at the end of expiry date, the user is forced to change their password.
4.Uniqueness: Require users to set a unique password that has not been used previously when they reset their password.
How Can a Forgotten Password be Securely Retrieved?
When a user logs in with the right password, he is permitted to access the organization’s applications. On the other hand, when a user logs in with incorrect credentials, if the organization allows SSPR (Self Service Password Reset) then the system prompts the user to reset the password on his own.
Here’s how it works – a window pops up with a certain number of questions, and when the user answers all the questions correctly, he is permitted to reset the password. However, this process leaves the door open to social engineering attacks by black hat hackers.
A safer approach is to disallow SSPR in the password policy of an organization. In this scenario, the only way to reset a user’s password is to reach out the admin – this is safer and does not allow any intrusion through social engineering, and therefore reduces the data security threat.
I shall write more about SSPR and social engineering in my next article.
Enforce a strong custom Password Policy across your organization using Akku’s Password Policy Enforcement feature which brings it all together for improved security.