What is a Password Policy?

One of the simplest ways for an enterprise to maintain a secure perimeter is to ensure that the users choose passwords that can’t be easily guessed by any attacker. The best way to do this is to ensure that the passwords are chosen from a large enough collection of possible passwords. In other words, to guarantee that the passwords have enough entropy.

Some simple ways to encourage this are:

  • Require longer passwords. It’s not uncommon for passwords to be 14 characters or more.
  • Encourage users to select characters from the full set of possible keystrokes including digits and special characters.
  • Force the users to choose new passwords often, perhaps as often as each month or quarter.
  • Prevent the users from reusing old passwords by storing a list of the hashed versions of old passwords.
  • Ensure that users don’t write down passwords in obvious or easily accessible places.
  • Ask the users to avoid using common words that might be found in a dictionary.

Not all businesses need all of these rules. It’s more important for users to feel comfortable remembering the passwords. Some, for example, are questioning the need for special characters or digits because people often just add gratuitous numbers at the end where they may be easier to guess. A longer password of lowercase characters has more entropy than a shorter password with a full set of characters.