Password Policies: 5 Ways To Up Security

By Greg Keller Posted January 20, 2016

password policies

Complex passwords can save users from being hacked, any IT admin will tell you that. Plus, countless studies and articles on password security have been published about why password policies are vital to to online security. increasing the length of passwords, adding complexity to them, and never reusing passwords more than once — these are three examples of smart password policies every person and company should use. After all, stronger passwords contribute to users being safer online. And if users are safer online, then your organization is safer, too. However, your organization’s password policies must be adhered to and enforced, in order for them to protect you from security breaches and hacks.

Password Policies to Enforce for Greater Online Security

Password policy enforcement generally refers to a number of different items, including the following five best practices:

  • Length of Password – Perhaps the strongest correlation with password strength is the length of the password. As computers have become more advanced, the time it takes to hack a password has gotten significantly smaller. In fact, a password that worked a couple years ago is a weak password today. Increasing your password length will keep your user’s devices more secure. Many IT admins now advise that passwords be a minimum of 12 characters, but we suggest increasing that to an 18 character minimum.
  • Alphanumeric Characters – Requiring upper and lowercase characters and numbers greatly increases the complexity of the password. Alphanumeric characters also increases the potential combinations of passwords,  making it even harder for a password, and thus a device or account, to be hacked.
  • Special Characters – To increase the level of password complexity, require special characters in all passwords. This password policy alone adds another 32 characters that can be utilized to strengthen passwords. In combination with alphanumeric characters, each character in a password could have 94 different choices. Better yet, have that password be an 18-character password, and you have 1.78e119 number of combinations. Word to the wise: It’s more secure to have long passwords with many different character choices, rather than just long passwords that contain only letters.
  • Password Aging – If your organization is required to age passwords after, say, 90 days, then you’ll want to leverage this enforcement capability and have all users update their passwords every three months. There is some debate in the security community if password aging does, in fact, increase security, but we’ll leave that debate for a different blog post. As a general rule of thumb: Updating passwords to at least the same length and complexity after a set timeframe can only help to increase online security.
  • Password Lockout – Another security mechanism that we advise adopting is the password lockout. That is, to lock a user out of his or her account after too many incorrect attempts to log in. The password lockout helps prevent hackers from brute forcing their way into  users’ accounts.

Even in today’s cloud-operating and multi-device world, many IT organizations only leverage password policies if they are under compliance requirements to do so. But enforcing complex passwords by using the best practices listed above is the only way to guarantee your organization is safe from security breaches.

Of course, you must decide where to enforce the above password policies that require everyone within your organization to use complex passwords. Ideally, there is an automated central system that enforces passwords across your entire infrastructure, including your endpoint devices, servers, applications, and networks. A system like this, a directory system, would take the manual work out of enforcing password policies. Modern Directory-as-a-Service platforms offer the ability to enforce password policies across all devices, applications, and your company’s network infrastructure.

To learn how Identity-as-a-Service systems, like Directory-as-a-Service, are stepping up IT’s security game, drop us a note. We’d be happy to discuss how DaaS can make password management easy and more secure.. Or check out JumpCloud’s password complexity builder to see for yourself.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts