Company password policy

Companies that store sensitive data and confidential information, the leakage of which must be avoided, care about the most effective methods of protecting themselves against such events. Unfortunately, not all companies remember that password policy is a key element to consider. After all, the more employees are employed in acompany, the greater the risk of information leakage outside of the company systems is.

Employers usually give employees quite freedom as far as determining the login details is concerned, This often resuls in passwords that are very easy to crack, and thus accessing sensitive data by unauthorized persons may take pace.

What is the password policy?

Password policy is, or at least should be, part of a larger document called security policy, which in view of the new Personal Data Protection regulations is required in every enterprise. Its task is to manage employee access and set standards for creating passwords. Therefore, it is important to ensure the security of the processed data in the company.

This document should contain information about procedures of changing password  for individual systems. Systems containing personal data should force a chnge of passwords every 30 days. You can set any value for other systems, but you should change your password every 6 to 12 months.

It often happens that users are unable to provide the current password during the procedure of changing it. It is therefeore a very good habbit to set  a minumut time of at least 3 months in which the user will not be able to set the same password twice in a row.

You should also pay attention to properly lock an account for which a wrong password has been entered multiple times. This is important because it will prevent brute force attacks involving an infinite number of attempts to automatically crack the password by guessing it.

Last but not least, password policy should include regulate good practices for creating and storing passwords. Above all, however, employees should be aware of password policy procedures for data storage security.

What should a good password look like and how to store it?

Good password construction is the basis for creating an effective password policy. This means that there are a few rules to follow when creating a strong password:

  • Passwords should be different and completely unrelated to each service / system. It is not allowed to use the same word in each entry and only change the numbers at the end.

  • Passwords should not consist of words found in dictionaries.

  • The longer the password, the better – creating long but easy-to-remember passwords is good practice. It is important, however, that the words contained in the password have nothing to do with each other, e.g., RaspberryCrimeMessiChocolate. Such a long password will be very difficult to crack, although it consists only of words. By the way, they are easy to remember.

  • The use of numbers and special characters will certainly make it harder to guess the password,

  • Avoid using loved ones, pets, birthdays or name days in your password. The entry type 123456 or qwerty is absolutely excluded.

Remembering difficult passwords or a large number of them is not a big problem. However, remember not to write them on sticky notes placed in a visible place or on a year-round calendar. This does not mean that all created passwords should be engraved in memory. In this case, it is a good practice to use “keychain” programs. They help “remembering” each password, and in addition hide them from the curious eyes of unauthorized persons.