Best practices for strong passwords (more security authentication levels) Policies

Best practices for strong passwords (more security authentication levels) Policies

One-time password, client certificate, smart card, biometrics and other technologies Add a new level for account security. Two-factor authentication further enhances the security of the system. The more critical the system is, the more security authentication layers should be available.

However, the traditional password is still the main method for user authentication. In addition, although the system has a multi-level security authentication method, they still rely on the combination of user names and passwords. When establishing a password policy, enterprises should emphasize the following three key elements:

1) understand what is a password policy

Password policies are a set of security rules. By encouraging users to set reliable and secure passwords, they are saved correctly and used to improve computer security. Generally, password policies should be part of the formal regulations of enterprises and be part of the security awareness training of enterprises.

Although most users understand the security risks caused by simple passwords, when users have to spend time trying to create a password that meets a series of criteria, or have to remember a very complex password, users are often very resistant. This requires enterprises to formulate reasonable security regulations and conduct relevant training to help users understand the necessity of strong password policies.

2) Formulation of strong password policies

Define the passwordhistory policy to remember several passwords that you have used before. By setting this policy, you cannot reuse the same password when the current password expires.

Defines the Maximum password age policy: the password expires within a limited period of time, usually set to 30 to 90 days. By setting this policy, if an attacker cracks a password, he can only access the account for a period of time before the password expires, so as to minimize losses.

Define the "Minimum password age" policy: once set, the password cannot be changed at will until it has been used for more than a certain number of days. This policy setting should work with the "Password History" policy. The "password shortest term" policy allows users to repeatedly change their passwords in a short period of time to bypass the "Password History" policy and then reuse their original passwords. Users must wait for a specified period of time, generally several days, before being allowed to change their old password.

Defines the "Minimum password length" policy: the password must contain at least a specified number of characters. Long passwords-seven or more characters-are generally more complex than short passwords. By setting this policy, you must create a password with a certain length to reduce the chance of being cracked.

Define Password complexity policy: this policy checks all new passwords to ensure they comply with the basic Strong Password requirements. Generally, a strong password must contain uppercase letters, lowercase letters, special characters, and numbers. However, it should not contain usernames, user names, and common words.

3) define a reasonable Account Lockout policy

Account locking policies should not be used at will. Account locking policies can improve the probability of preventing unauthorized access attacks, but may also lock legal authorized users. Once the Lock of a legitimate user reaches a certain probability, the Enterprise will also suffer unnecessary losses.

If you decide to use the Account lock policy, the "Account lockout threshold" policy should be set to a large enough number, therefore, authorized users are not locked due to incorrect password input.