Password policy for enterprise

[Dixie]

Quote:

Originally Posted by masraum

For instance, you could remember
Sec question 1 answer or 1st grade teacher: purple people eater
Sec question 2 answer or mother's maiden name: blueberry
Sec question 3 answer or first pet's name: clockwork orange

Or the question is the answer.
1) First Grade
2) Mother's Maiden
3) First Pet

[wildthing]

Quote:

Originally Posted by flipper35

I guess what I meant was an HR policy.
We are already 16 char complex, 90 days, no less than the last 10, can't reuse within 30 days to eliminate password recycling, we use Duo and MSAuthenticator for MFA.

What we want is a written policy that they will use MFA and use a password manager to create passwords for each site they go to. Specifically a policy in HR where there are consequences for not following the policy - for example password files or handwritten passwords to keep track.

At the moment, we can only tell people to not do bad things.

My previous place where I was director of IT it was a no questions asked termination of you wrote your password down at your desk. That was in healthcare.

I've not seen this on an HR Policy/Employee Handbook. They simply reference a Security Policy. E.g. "All ACME employees are expected to follow the policies outlined in the Acme Data Privacy and Security Policy. Violations of this policy can result in disciplinary action and/or termination of employment." And then in that linked security policy document, you outline the ones you mentioned.

[stealthn]

Sorry passwords for what? What are you protecting, internal system, SaaS apps, ?

MFA and password managers are a must these days, I have hundreds of passwords for things and I don’t know a single one If an employee gets let go or quits, their account is disabled and they have access to nothing.
Password less is the new buzz, but start with something like Duo and Passportal, you could use the excuse the password manager forces us to use complex passwords