|
Well, first decide on a minimum length. We use 8. Some of our vendors require more, usually 12.
Then the obvious, UPPER, lower, number and symbol. We require 3 of the 4.
You can't reuse a recent password. I think we are at 24 or 30 remembered passwords or something like that..
Set a password expiration. We do 90 days. Some do 60. We're now forcing 30 days on our admin accounts. I hate that.
I think that's all we require.
Other things that make it harder (better?)
No repeating characters, or only 2 in a row. Keeps me from changing my password from Password1 to Password11 to Password111.
Ban certain words, like the above. Don't allow the user to use any part of either their userid or name in the password.
A new one got thrown at my by a vendor recently. When you change your password, at least 5 characters have do be different from your old password. I suppose you could technically alternate between variations of two different passwords, I'll let you know in about 120 days or so.
If you're going to implement strong passwords, try to use single sign on for as much as possible. Or, like you mentioned, a password manager.
But, I'm really leery of cloud based password managers. Seems to me, if you want something to be secure, storing it in a cloud service is just asking for trouble. Maybe I'm just old.
MFA apps. We use Duo. Looking to dump it. Everyone hates it. We are using Crowdstrike now for AV, it has a MFA app, I think some coworkers are testing that.
Last - watch out for security vendors that make use of third party libraries.
Have you read the news about Polyfill.io? Okta uses Polyfill. We use Okta. We're probably screwed.
|