A password policy is an internal company policy, a set of rules that defines how people in the company should work with passwords. It is a document containing principles and rule for working with passwords. It helps to increase the security of the use of computers and company systems, applications and networks. The policy helps employees follow best security practices.
- It defines the processes, behaviors and mechanisms needed to use passwords at the required level
- It encourages users to use strong passwords and use them correctly
Individual applications also have their own password policy. This means that the application enforces on its users, the minimum conditions for the password, its change and the like. For example, in Aptien, the password policy can be set like this.
Importance and scope of password policy
Password policy is one of the key documents of information and cyber security. It creates the conditions for maintaining the work with passwords in the organization at the necessary level of security. This reduces the likelihood of an incident occurring due to a password leak. All employees, or other workers (for example, suppliers) are bound by the policy. A password policy typically covers many areas where passwords are used.
- Wifi network passwords
- Passwords to unlock computers, mobile phones and other devices
- Passwords for accessing corporate applications
- Passwords to access cloud services
- and more
What should a password policy contain?
- Purpose, scope and objectives of password policy
- Password construction guidelines, requirements and recommendation
- Minimum password length and characters that can be used
- Minimum password strength requirements
- Expiration of passwords
- Deleting passwords
- Changing passwords
- Incident reporting when a password is lost or exposed
- Responsibilities, roles and types of users (employees, externals, administrators)
- Remote access users
- Penalties for non-compliance with the password policy
How to keep and maintain a password policy
- You add the password policy to the Policy organizer
- Employees can see the password policy in the Policy portal
- They can get to know password policy digitally
- A policy manager or security manager has policy management available
Educate your people how to work with passwords
Having a password policy is one thing, and how employees respect and follow it is another. You can enforce employee behavior in your apps, but you technically can't enforce some of their behavior. For example, so that they do not send the password by e-mail. Such basic habits can only be improved by regular education, awareness and increasing information literacy.