What elements are crucial to include in a password policy? I'm putting one together and thought I would tap into the collective power of this group to see if someone out there has a good one they'd like to share.

650 views4 Comments

Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
1. Alphanumeric 
2. More than 10 charecters
3. Age should not be more than 30days.
Director in Manufacturing, 1,001 - 5,000 employees
In addition to the rules mentioned

No reuse of passwords
60 days of duration
No repeating characters
At least one capital one lowercase one number one special character
VP Information Security Assurance, 10,001+ employees
While designing this policy, consider the following aspects ( i may be stating the obvious here)
> your regulators and customers like to "see somethings" covered in a password policy (or a passphrase policy). Pl factor those
> what does your management direction on password/ less-password (like Windows Hello ) . factor that. The password/passphrase must tie into your org's overall Identify management direction or approaches to ZeroTrust type approaches.

> who is it for 
- standard user (who may have more relaxed regime)
- privileged  user (more stringent or complex + MFA)
- service accounts 
- shared accounts (like a team mailbox)
- non-human IOT or break glass accounts

The regular elements to include
- length (8/10 for standard, 12/15 for privileged & service, 4/6 PINs for IOTs?)
- is pin/passphase an option you want?
- complexity (uppercase,lowercase, spl char)
- controls against use of common dictionary words and running numbers (like123)
Senior Information Security Manager in Software, 501 - 1,000 employees
I'll let Bruce Schneier do the talking here.  See https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Content you might like

Sales and Marketing7%


Customer Interaction19%


Risk and Fraud Management5%

Strategic Planning3%


Data Security and Privacy5%



Compliance activities16%

Best practice implementation58%

Process maturity assessments and improvement24%

Centres of Excellence2%

Other - Please specify in the comments0%