A series on password policies

Many people consider it a harmless rite of passage to lie about their age. In fact, in a study of 1,000 college students, nearly two-thirds admitted to using fake IDs to get around the legal drinking age.[1]

Unfortunately, this kind of get-around isn’t relegated to our youth. When it comes to password policies in the workplace, some of us are tempted to lie about age again.

Consider a policy like password history. We talked about the importance of it our previous post, “When Familiarity Breeds Contempt from Your Cyber Enemies.” A password history policy forces your people to change their passwords a certain number of times before they can use an old favorite. It prevents people from becoming too predictable to cyber enemies.

The problem is that many people just see this policy as a nuisance. With everything we need to get done in a week, it’s easy to forget that policies are here to protect us.

We don’t want to remember a new password. We want our old, familiar password back. So we become adept at getting around the policy.

Here’s the get-around: Some of us have figured out that we can quickly cycle through a series of passwords – password1, password2, password3, etc. – until we’ve satisfied the requirements for the password history policy. Within minutes, we’re allowed to reunite with our old favorite. Sounds harmless, right?

Actually, the consequences could be devastating to your company. Getting around your password policy allows your people to remain complacent and predictable – which can expose your organization to cyber criminals.

So what’s the solution?

The answer is to implement a minimum age. Yes, you heard right. Much like the policy on minimum drinking age, your organization needs a policy on minimum password age. (We hear the inner teen in you groaning.)

A minimum password age forces a user to wait a certain number of days before a password can be changed. It helps to enforce the password history policy. Together, these policies prevent your people from cycling quickly through a series of passwords.

Here’s how to implement an effective minimum password age policy.

Assess your minimum password age policy.

A credible cyber security company can check your configurations with a free access rights assessment. They’ll check out your policies on minimum password age and password history. Then they’ll assess everything else that impacts the security of your organization.

Remediate your minimum password age.

Implement a cyber security plan that protects your data, including enforcing an effective minimum password age. You need to know that a password age of 0 is too low because your users will be able to change their passwords immediately. But you also need to consider that a password age that is too high may lead to users frequently forgetting or losing passwords. A cyber company will help you set your policy at an age that is reasonable for your environment.

Monitor your minimum password age policy.

You must remain alert because the cyber environment is always changing. Keep an eye on your minimum password age and history configurations to make sure your policies remain effective. Then continually educate your people on the importance of your policies. Most importantly, make sure they aren’t forming new get-arounds!

Umesh Verma, CEO, Blue LanceUmesh Verma is the award-winning CEO and driving force behind Blue Lance, the global provider of cybersecurity governance solutions. For more than 25 years, Blue Lance’s automated software solutions have been protecting digitally managed corporate assets by assessing, remediating, and monitoring security of information systems. Call Blue Lance at 1-800-856-2586 for your 25-point Access Rights Assessment, or get social with us on LinkedInFacebook, or Twitter.




[1] As published in “Alcoholism: Clinical & Experimental Research,” 2013.