Password Policy
A password best practices policy instructs users on choosing and maintaining passwords.
- credential management policy should instruct users on how to keep their authentication method secure
- needs to alert users to diverse types of social engineering attacks
- Users need to be able to spot phishing and pharming attempts
- system-enforced account policies can help to enforce credential management principles by stipulating requirements for user-selected passwords:
- password length
- password complexity
- password age
- password reuse and history
Info
Password aging and expiration can mean the same thing.
- However, some systems distinguish between them
- If this is the case,
- aging means that the user can still log on with the old password after the defined period, but they must then immediately choose a new password.
- Expiration means that the user can no longer sign in with the outdated password and the account is effectively disabled
Info
The most recent guidance issued by NIST (nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf) deprecates some of the “traditional” elements of password best practices, such as complexity, aging, and the use of password hints
Info
Password reuse can also mean using a work password elsewhere (on a retail website, for instance).
- This sort of behavior can only be policed by soft policies