Answer yes if your organisation has a documented Password Policy which is enforced technically throughout the IT estate. Please provide the Password Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes. Please also include information about any controls you have to prevent brute-force attacks on passwords, such as account lockout thresholds or time-delays between password attempts.
What is it?
Passwords remain the foremost method of authentication, which is to say it’s a password that confirms to a system that the user is who they claim to be. A poorly chosen password may therefore result in a compromise of IT systems and data.
The purpose of a password policy is to establish standards to ensure passwords are relatively strong. This typically includes factors such as length, complexity requirements, as well as change intervals. It may also include controls to prevent brute-force attacks, which is where attackers try out thousands of different passwords until they find the right one.
It is particularly important that technical controls be applied to ensure that these criteria are adhered to as passwords are by definition private and hidden, usually stored in encrypted format, and it’s therefore unlikely to be possible to validate that rules are being followed.
Why should I have it?
Having a password policy informs your IT function what minimum requirements should be in place on existing systems, on any development efforts, or when selecting 3rd party platforms to ensure the passwords used across your business are robust.
As a supplier, having such a policy provides your clients with assurance that systems and data will be significantly less likely to be subject to unauthorised access due to weak passwords being guessed.
Password policies are one of the simplest policies to implement. It is, however, noteworthy that best practices are passwords are evolving and consensus on what works best has shifted in recent years. So, while relatively simple to write, it’s important to be up to speed on the latest guidance and how they fit your business.
Password standards can and should vary depending on the types of accounts (regular users, versus administrative users, versus service accounts, for example). It’s also important that your Password Policy be universally communicated to the relevant groups so that your standards are incorporated into solutions design and selection and enforced.
The NCSC have written a useful guide on things to consider when designing a password policy. We recommend you read this as a place to start.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements. Please get in touch if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.