Strong Password Policy Requirements Protect Data, Systems

Posted on October 24, 2022October 24, 2022

It remains a critical and ever-evolving challenge to protect your organization’s data and operations from destructive forces such as unauthorized users, cyberattacks, and data breaches. The first level of security from such attacks is the implementation of strong password policies as a line of defense for an organization’s data security.

Balancing risk and user-friendliness is challenging. “When an employee has so many complex passwords to remember that they keep them on a sticky note attached to their computer screen, that could be a sign that your organization needs a wiser policy for passwords,” per NIST.gov.

Password Threats

“55% of people rely on their memory to manage passwords,” reported helpnetsecurity.com. Memory is a fickle tool. Recognizing this, many people keep hard-copy lists of their passwords, usually on their desks.
Composition rules are commonly used in an attempt to increase the difficulty of guessing user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.
Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.

Tips for Strong Password Management

Effective Password Management goes beyond password strength. In the United States, we typically follow the NIST Guidelines. AAFCPAs provides below a summary of NIST 2021 password recommendations (NIST Special Publication 800-638 Digital Identity Guidelines) to help clients enhance their cyber security posture as it relates to password management.

Password length is more important than password complexity. We advise clients to encourage the use of passphrases and set the maximum password field length at 20-64 characters.
Utilizing symbols and characters in phrases as opposed to all letters. For example use the (;-) ) wink symbol in the phrase “Winking at me” instead of all letters.
Do not enforce regular password resets. Humans follow predictable patterns. NIST recommends that password resets should only be performed if a compromise is suspected.
Screen all new passwords against lists of commonly used and compromised passwords
Allow pasting of passwords and the option to show password while typing. The ease these features create helps avoid user frustration and likelihood of weak passwords.
Limit the number of failed password attempts before account lockout. Users should be locked out of their accounts after 3 or 5 failed password attempts, which can protect against brute force attacks.
Implement 2-factor authentication. 2FA is essential to network and web security because it immediately neutralizes the risks associated with compromised passwords.
Salt and hash passwords. The NIST password recommendations now include a requirement to salt passwords with at least 32 characters and to ensure they are hashed with a one-way key derivation function.
Educate users about password threats and how they should respond.

AAFCPAs provides Information Risk Management & Cybersecurity solutions, including System and Organization Controls (SOC) Attestations, IT Risk Assessments, and Vulnerability Management as a Service (VMaaS). These solutions include assessments of risks related to password policies. Our IT Security Professionals advise clients to defining strong password policy requirements and selecting centralized and local password management solutions. We also advise clients on threat mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms.

If you have question, please contact Andrew Mathieson at 774.512.9089, amathieson@nullaafcpa.com; or your AAFCPAs Partner.

About the Author

Andrew Mathieson, CISA, CDPSE, CCSFP, HITRUST, CISRCP, CCSK

Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, …

Related Insights

SOC Report 2022 Revised Points of Focus

In late 2022, the AICPA updated its guidance on performing System and Organization Controls (SOC) attestations with revised points of focus that offer enhanced context for meeting the criteria in your report. Organizations and their auditors should be aware of the updates and go through an exercise to actively incorporate these revised points of focus […]

A Startup’s First Steps to SOC Readiness

Early-stage companies have a lot to contend with, including funding, staffing, infrastructure, product development, and marketing, which can create a chaotic environment. Those that collect personal identifiable information or health information as part of their business model also must add earning their SOC (System and Organization Control) certification to the list. The SOC Report has […]

SOC Report: Why are our Sales & Marketing Teams Insisting we have one?

Prospects may ask for a SOC report as a way to assess the controls and processes in place at an organization before doing business with them. Many organizations, particularly in regulated industries or those that handle sensitive information, are required to demonstrate compliance with relevant regulations and industry standards. A SOC report can be an […]