Talon KnowHow

• Password Policy Guidelines
• Do I Need a Password Policy?
• Help Customers Find You on Google
• PowerPoint - Transition with Style
• Passwords – The Achilles Heel of Security
• Dealing with Computer Misuse
• Save Time with the Snipping Tool
• Why Not Have a Virtual Meeting?
• Top Tips for Virtual Meetings
• Keyboard Tips
• How to Avoid Counterfeit Software
• Office 2007 - Ribbon Rage

Password Policy Guidelines

What do you need to consider when putting together your company's password policy?

 

The first thing is that your policy needs to be sensible.  You need to consider the size and nature of your company, the likely risks to your network and formulate your policy accordingly.

 

What Not To Do

Don't make your policy too rigid and strict as it's likely to backfire.  For instance you compel users to choose long, complicated passwords they have to change frequently. Then you lock them out when they mistype a few times and don't allow them back in until they've tracked down IT. 

 

The result  -  frustrated users who start writing down their passwords. Just what your policy was designed to stop!

 

What To Include

While every policy will be unique the following are suggestions for what to include:

 

Outline a user's responsibility and the consequences of breaching the policy.

 

Details of how to protect passwords - for instance not written down, printed, emailed, stored on mobile devices or shared.

 

The criteria for selecting passwords for example minimum password length, type of characters it should contain, do not contain a dictionary word or a user's account name etc.  These criteria can then be enforced by Windows security.

 

It's a good idea to include guidelines for selecting strong passwords and outline what makes a weak password.

 

How often passwords should be changed and explain how to change a password.  If changed passwords are not to be reused or be similar to old passwords this would also be included.

 

An account lock out policy - not always a good idea but this would say that a user will be locked out of the network for a certain length of time after so many attempts to gain access.

 

Other Do's and Don'ts

Make sure users lock or log off from computers when away from their desks

Staff shouldn't use the same password for personal IT systems

Highlight that staff shouldn't tick the 'remember my password' box

Users should have a different password for external and internal access

Staff shouldn't access the network with another user's password

 

And Finally..

Make sure that you dearly communicate the policy to staff and where necessary train and educated them on the detail.