Quote:
Originally Posted by wildthing
CISA's seems pretty good. You can adapt that.
https://www.cisa.gov/secure-our-world/require-strong-passwords
Here's my recommendation:
1. Start with min 8 characters (12 after a year, then 16 after another year)
2. No words, username not in password
3. Mixed case
4. At least one special character
5. Six-digit birthdate not in password
6. Four digit birth year not in password
7. Change every 90 days.
8. Can't reuse last 5 passwords. (Then last 10 after 12 months.)
9. Can't change again within 3 days.
10. Use 2FA - text, biometric, or third party app.
A few that can't be fully enforced by any system:
1. Don't reuse same password across multiple sites.
2. Don't reuse same password for personal accounts.
3. Don't save your password on your browser or phone.
4. Don't write it down anywhere. |
I guess what I meant was an HR policy.
We are already 16 char complex, 90 days, no less than the last 10, can't reuse within 30 days to eliminate password recycling, we use Duo and MSAuthenticator for MFA.
What we want is a written policy that they will use MFA and use a password manager to create passwords for each site they go to. Specifically a policy in HR where there are consequences for not following the policy - for example password files or handwritten passwords to keep track.
At the moment, we can only tell people to not do bad things.
My previous place where I was director of IT it was a no questions asked termination of you wrote your password down at your desk. That was in healthcare.