Password policy for enterprise

[flipper35]

We are looking for a generic policy for passwords. Not so much complexity but requiring MFA, use of a password manager, immediate termination for writing it down at your desk. Stuff like that.

Anyone have a template or generic oner to share? Our MFA or password vault vendors have not been of any help.

Figured, you all are smart and someone should have something already. Amiright?

We are in finance if that makes a difference.

[Dixie]

You know those online questions you answer to reset your password? Like, pick the address you've lived at before, where where you born, or what's your mother's maiden name? I always wonder why they can't be used in lieu of a password?

At my last job we were required to use 16 byte passwords since Government contracts were involved. It needed to have letters, symbols, numbers, no common words, no repeats, couldn't have been used before, blah, blah, blah...
I swear I was resetting my password every second day.

[wildthing]

CISA's seems pretty good. You can adapt that.
https://www.cisa.gov/secure-our-world/require-strong-passwords

Here's my recommendation:
1. Start with min 8 characters (12 after a year, then 16 after another year)
2. No words, username not in password
3. Mixed case
4. At least one special character
5. Six-digit birthdate not in password
6. Four digit birth year not in password
7. Change every 90 days.
8. Can't reuse last 5 passwords. (Then last 10 after 12 months.)
9. Can't change again within 3 days.
10. Use 2FA - text, biometric, or third party app.

A few that can't be fully enforced by any system:
1. Don't reuse same password across multiple sites.
2. Don't reuse same password for personal accounts.
3. Don't save your password on your browser or phone.
4. Don't write it down anywhere.

[rockfan4]

Well, first decide on a minimum length. We use 8. Some of our vendors require more, usually 12.
Then the obvious, UPPER, lower, number and symbol. We require 3 of the 4.
You can't reuse a recent password. I think we are at 24 or 30 remembered passwords or something like that..
Set a password expiration. We do 90 days. Some do 60. We're now forcing 30 days on our admin accounts. I hate that.
I think that's all we require.
Other things that make it harder (better?)
No repeating characters, or only 2 in a row. Keeps me from changing my password from Password1 to Password11 to Password111.
Ban certain words, like the above. Don't allow the user to use any part of either their userid or name in the password.
A new one got thrown at my by a vendor recently. When you change your password, at least 5 characters have do be different from your old password. I suppose you could technically alternate between variations of two different passwords, I'll let you know in about 120 days or so.

If you're going to implement strong passwords, try to use single sign on for as much as possible. Or, like you mentioned, a password manager.
But, I'm really leery of cloud based password managers. Seems to me, if you want something to be secure, storing it in a cloud service is just asking for trouble. Maybe I'm just old.

MFA apps. We use Duo. Looking to dump it. Everyone hates it. We are using Crowdstrike now for AV, it has a MFA app, I think some coworkers are testing that.

Last - watch out for security vendors that make use of third party libraries.
Have you read the news about Polyfill.io? Okta uses Polyfill. We use Okta. We're probably screwed.

[GH85Carrera]

Ok, so the employees are expected to memorize a long string of letter and symbols and they can't write it down? No words in the password to help them remember?

And then change it regularly to boot. Wow. I have a hidden file on my computer that is my list of passwords for the different site I use. It is a long list.

One password for one program I use a lot is one I have not changed since 1988. It is not on the internet, so it really does not matter.

[flipper35]

Quote:

Originally Posted by wildthing

CISA's seems pretty good. You can adapt that.
https://www.cisa.gov/secure-our-world/require-strong-passwords

Here's my recommendation:
1. Start with min 8 characters (12 after a year, then 16 after another year)
2. No words, username not in password
3. Mixed case
4. At least one special character
5. Six-digit birthdate not in password
6. Four digit birth year not in password
7. Change every 90 days.
8. Can't reuse last 5 passwords. (Then last 10 after 12 months.)
9. Can't change again within 3 days.
10. Use 2FA - text, biometric, or third party app.

A few that can't be fully enforced by any system:
1. Don't reuse same password across multiple sites.
2. Don't reuse same password for personal accounts.
3. Don't save your password on your browser or phone.
4. Don't write it down anywhere.

I guess what I meant was an HR policy.
We are already 16 char complex, 90 days, no less than the last 10, can't reuse within 30 days to eliminate password recycling, we use Duo and MSAuthenticator for MFA.

What we want is a written policy that they will use MFA and use a password manager to create passwords for each site they go to. Specifically a policy in HR where there are consequences for not following the policy - for example password files or handwritten passwords to keep track.

At the moment, we can only tell people to not do bad things.

My previous place where I was director of IT it was a no questions asked termination of you wrote your password down at your desk. That was in healthcare.

[Icemaster]

Does your company have an Acceptable Use policy? That will give you latitude to address things like the password behavior, what they're allowed to use company owned devices for, what they're allowed to do on the company network etc. Guidance is for them to be part of any new hire on-boarding documentation, review them annually and get them re-signed if there's updates made to them.

Security standards are where the specifics on password complexity should be housed, it sounds like you've got that covered pretty well, but your creating a bit of a hybrid policy combined with a procedure. Doable, but sometimes gets complicated.

Acceptable Use Policy is your best friend. Feel free to PM me if you want, cyber and security audit compliance is my day job.

[RNajarian]

I have a weird talent/curse that I have remembered the license plate number of (most) every car I have ever owned. I use my license plates as my passwords.

The format for current CA plates is;

Number Three Letters Three Numbers

Example: 1Abc234

I combine two license plates and put a special character at the end. The first letter of each license plate is always capitalized, the rest are lower case. The beauty is my password hints are the cars that the license plates belonged to. For example, “T-Bird Mustang” I know to use the license plate of my long gone T-Bird and Mustang.

Here is a format of one of my passwords

1Abc2347Def567#

Of course plates prior to 1979 were the following format

123ABC

I can mix those in as well.

[wdfifteen]

What is the rationale for changing a password so often?

One challenge question option is always, "What is your mother's maiden name?"
Well, Kathryn, or Kathrine she has spelled it both ways, and her birth certificate has her last name spelled differently than her high school diploma, or the way her father spelled it. I can never remember the "correct" spelling of either one, so I never choose that option.

[Dixie]

Here are a few alternatives to passwords.

• Biometric authentication: Uses unique physical attributes like fingerprints, facial recognition, or iris scans
• Possession factors: Uses one-time passwords (OTPs) or registered smartphones
• Hardware tokens: Uses security keys
• Mobile device authentication: Uses SMS or app-based one-time codes
• Personal USB stick: Allows users to log into IT infrastructure without typing credentials

No one is going to remember multiple passwords that are long and complex. They'll resort to writing them down. That defeats the entire reason for having passwords.

[GH85Carrera]

Over 30 years ago, one of my boss's best friends was THE email administrator of SW Bell, that became AT&T after the Bells reformed into AT&T after the breakup.

Anyway, way back then he had a credit card sized gizmo that had random numbers showing up all the time. If he needed to log in, he had to punch in the numbers from that gizmo to access the network. They changed constantly, so he had like a minute before the next set of number appeared. It was cool tech but likely expensive.

He was also in charge of all the SW Bell billing department. He gave me a tour of the office were every single paper bill was printed. If you remember the olden days of receiving a paper bill that listed every single long distance call, and the amount charged for the call on certain width paper, it came from that office in downtown OKC. The printer was astonishing. It took a roll of paper 6 feet tall loaded on a printer, and it moved through at astonishing speed, and hurled the paper into the air in a arch across the room, into a catcher box to be folded and inserted into the envelopes.

[id10t]

Quote:

Originally Posted by Dixie

Here are a few alternatives to passwords.

• Biometric authentication: Uses unique physical attributes like fingerprints, facial recognition, or iris scans
• Possession factors: Uses one-time passwords (OTPs) or registered smartphones
• Hardware tokens: Uses security keys
• Mobile device authentication: Uses SMS or app-based one-time codes
• Personal USB stick: Allows users to log into IT infrastructure without typing credentials

No one is going to remember multiple passwords that are long and complex. They'll resort to writing them down. That defeats the entire reason for having passwords.

Proper enterprise should have a single password and user, and use ldap, saml or other centralized auth for service. End result is I have two work passwords to remember - my cuurent domain pw and the one for my ssh key

Shared passwords - root or other shared admin accounts etc - are in a shared password manager that has saml login controlling access

[flipper35]

Quote:

Originally Posted by GH85Carrera

Over 30 years ago, one of my boss's best friends was THE email administrator of SW Bell, that became AT&T after the Bells reformed into AT&T after the breakup.

Anyway, way back then he had a credit card sized gizmo that had random numbers showing up all the time. If he needed to log in, he had to punch in the numbers from that gizmo to access the network. They changed constantly, so he had like a minute before the next set of number appeared. It was cool tech but likely expensive.

He was also in charge of all the SW Bell billing department. He gave me a tour of the office were every single paper bill was printed. If you remember the olden days of receiving a paper bill that listed every single long distance call, and the amount charged for the call on certain width paper, it came from that office in downtown OKC. The printer was astonishing. It took a roll of paper 6 feet tall loaded on a printer, and it moved through at astonishing speed, and hurled the paper into the air in a arch across the room, into a catcher box to be folded and inserted into the envelopes.

We have those for some people also.

[flipper35]

Quote:

Originally Posted by id10t

Proper enterprise should have a single password and user, and use ldap, saml or other centralized auth for service. End result is I have two work passwords to remember - my cuurent domain pw and the one for my ssh key

Shared passwords - root or other shared admin accounts etc - are in a shared password manager that has saml login controlling access

That is pretty much how we do it other than we use PMP for access to the servers and it uses a rolling password, that way we can audit who logged in by the access through PMP using their domain creds as opposed to their normal login creds.

Again, this isn't about the actual passwords, but is about people not having consequences for any behavior that puts the company at risk when they know better.

[flipper35]

Quote:

Originally Posted by wdfifteen

What is the rationale for changing a password so often?

One challenge question option is always, "What is your mother's maiden name?"
Well, Kathryn, or Kathrine she has spelled it both ways, and her birth certificate has her last name spelled differently than her high school diploma, or the way her father spelled it. I can never remember the "correct" spelling of either one, so I never choose that option.

If you are breached the passwords for the entire company can be breached in X amount of time based on length and complexity. A 20 char pass phrase will take longer than an 8 char complex password for example.

[3rd_gear_Ted]

Sending phishing e-mails to your own employees to see how they respond is how we measured the success of the training.
1st time is repeat training
2nd time is coaching and counseling on the severity of the issue is to the company.
3rd time is suspension or termination

[MBAtarga]

Quote:

Originally Posted by GH85Carrera

Anyway, way back then he had a credit card sized gizmo that had random numbers showing up all the time. If he needed to log in, he had to punch in the numbers from that gizmo to access the network. They changed constantly, so he had like a minute before the next set of number appeared. It was cool tech but likely expensive.

That device was likely an RSA Hard Token - which is used for MFA.
Yubikeys are another current MFA option.

I'm in a Security group at a large telecom/mobile provider.
We were recently forced to update passwords to a 15 char minimum!

[masraum]

Quote:

Originally Posted by MBAtarga

That device was likely an RSA Hard Token - which is used for MFA.
Yubikeys are another current MFA option.

I'm in a Security group at a large telecom/mobile provider.
We were recently forced to update passwords to a 15 char minimum!

Yep, RSA hard token. Now we use RSA soft token on personal cell phone.

Yes, my corp updated from 8 char min to 16 char min (which is actually a huge step forward WRT security). At the same time as the change from 8 --> 16, the required complexity was reduced. The other good news is that when it was 8 char, it had to be changed quarterly. Now that it's 16 char, it's also good for a year..

[masraum]

Quote:

Originally Posted by 3rd_gear_Ted

Sending phishing e-mails to your own employees to see how they respond is how we measured the success of the training.
1st time is repeat training
2nd time is coaching and counseling on the severity of the issue is to the company.
3rd time is suspension or termination

Yes, we have mandatory training with a test that you have to get a minimum score on. It's also possible to test before the training, and if you pass the "pre-test" then you don't have to take the training.

In addition to the training, fake malicious emails are sent that you have to respond to appropriately.

[masraum]

Quote:

Originally Posted by wdfifteen

What is the rationale for changing a password so often?

One challenge question option is always, "What is your mother's maiden name?"
Well, Kathryn, or Kathrine she has spelled it both ways, and her birth certificate has her last name spelled differently than her high school diploma, or the way her father spelled it. I can never remember the "correct" spelling of either one, so I never choose that option.

Something that most folks don't know/think about, is that you can have a fixed set of answers.

For instance, you could remember
Sec question 1 answer or 1st grade teacher: purple people eater
Sec question 2 answer or mother's maiden name: blueberry
Sec question 3 answer or first pet's name: clockwork orange

And use those answers everywhere. It doesn't matter if the "answer" is correct for the "question". All that matters is that you know what the answer is.

So "mothers maiden name" could be "cookie monster", and as long as you know that and use it every time, you're good. And, in some ways, it's probably far more secure, because if someone is able to find your mother's actual maiden name, they still don't have the correct answer to the question.