What elements are crucial to include in a password policy? I'm putting one together and thought I would tap into the collective power of this group to see if someone out there has a good one they'd like to share.

810 views4 Comments

Sort by:

Senior Information Security Manager in Software3 years ago

I'll let Bruce Schneier do the talking here. See https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Deputy CISO3 years ago

While designing this policy, consider the following aspects ( i may be stating the obvious here)
> your regulators and customers like to "see somethings" covered in a password policy (or a passphrase policy). Pl factor those
> what does your management direction on password/ less-password (like Windows Hello ) . factor that. The password/passphrase must tie into your org's overall Identify management direction or approaches to ZeroTrust type approaches.

> who is it for
- standard user (who may have more relaxed regime)
- privileged user (more stringent or complex + MFA)
- service accounts
- shared accounts (like a team mailbox)
- non-human IOT or break glass accounts

The regular elements to include
- length (8/10 for standard, 12/15 for privileged & service, 4/6 PINs for IOTs?)
- is pin/passphase an option you want?
- complexity (uppercase,lowercase, spl char)
- controls against use of common dictionary words and running numbers (like123)

Director in Manufacturing3 years ago

In addition to the rules mentioned

No reuse of passwords
60 days of duration
No repeating characters
At least one capital one lowercase one number one special character

Chief Information Security Officer in Healthcare and Biotech3 years ago

1. Alphanumeric
2. More than 10 charecters
3. Age should not be more than 30days.

Content you might like

Do folks think the impact of the social media addiction cases in the state court JCCP and MDL N.D. California will be far and wide, seeping into insurance industry changes as well as technological, or will Section 230 save the day once more for platforms?

The case will settle; zero to minimal impact71%

Yes! But effects and repercussions are unknown29%

Digital transformation isn’t just about new tools, it’s about changing how teams work. Key lessons I’ve observed: 1. Start with process bottlenecks, not technology 2. Empower cross-functional teams 3. Measure outcomes, not outputs What has been the most surprising lesson your teams have learned during a transformation?

I'm keen to understand what other companies name their 'infrastructure and operations' department. A recent change has led to a team merge, and the team themselves aren't enthralled by the department name, Infrastructure & Operations. Team responsibilities include: Enterprise technology (Cloud compute, collaboration tools, Operations and Service Desk) Development experience (Cloud hosting, code mgt, deployment pipelines, APis etc)

I'm looking to connect with large hospital systems using ServiceNow to discuss CMDB maturity and governance practices.

If you've implemented a mature CMDB in healthcare, I'd appreciate learning from your experience. Happy to share our approach and exchange insights.

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.28%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.44%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.21%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).5%

View Results

What elements are crucial to include in a password policy? I'm putting one together and thought I would tap into the collective power of this group to see if someone out there has a good one they'd like to share.

Sort by:

Content you might like

Do folks think the impact of the social media addiction cases in the state court JCCP and MDL N.D. California will be far and wide, seeping into insurance industry changes as well as technological, or will Section 230 save the day once more for platforms?

I'm looking to connect with large hospital systems using ServiceNow to discuss CMDB maturity and governance practices.

If you've implemented a mature CMDB in healthcare, I'd appreciate learning from your experience. Happy to share our approach and exchange insights.

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

How to develop top customer journeys using VoC data

Preparing For Shifting Data Privacy Laws: Data Leader Perspective

Hyperautomation: Are You Automating Your Business?

The CIO and CEO Relationship: CIO Perspective

Take Your Insights On-the-Go

What elements are crucial to include in a password policy? I'm putting one together and thought I would tap into the collective power of this group to see if someone out there has a good one they'd like to share.

Sort by:

Content you might like

Do folks think the impact of the social media addiction cases in the state court JCCP and MDL N.D. California will be far and wide, seeping into insurance industry changes as well as technological, or will Section 230 save the day once more for platforms?

I'm looking to connect with large hospital systems using ServiceNow to discuss CMDB maturity and governance practices.If you've implemented a mature CMDB in healthcare, I'd appreciate learning from your experience. Happy to share our approach and exchange insights.

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

How to develop top customer journeys using VoC data

Preparing For Shifting Data Privacy Laws: Data Leader Perspective

Hyperautomation: Are You Automating Your Business?

The CIO and CEO Relationship: CIO Perspective

Take Your Insights On-the-Go

I'm looking to connect with large hospital systems using ServiceNow to discuss CMDB maturity and governance practices.

If you've implemented a mature CMDB in healthcare, I'd appreciate learning from your experience. Happy to share our approach and exchange insights.