Where there is a device, there is a password policy. It is not exaggerated at all, mainly when you put it in workplaces. At a micro level, a 6-characters password required on the individual smartphone is a miniature password policy.
The role of passwords goes without saying in protecting corporate data. Bank of North Dakota (BND), a state-owned American financial institution, mentioned a stunning "81%", which referred to company data breaches caused by poor passwords.
Password security should be well-strategized as the first barrier to resisting rampant cyberattacks. The organization can do more with a corporate password policy far more than a 6-digit minimum passcode. And this article is here to help. Now, continue reading and exploring how to set up a good password policy for an organization. Requirements and valuable tools are put below.
- Part 1 : What is Corporate Password Policy
- Part 2 : Run-Up: What to Do Before Creating a Company Password Policy
- Part 3 : 7 Password Policy Best Practices to Improve Enterprise Security
- Part 4 : Why Organizations Need Corporate Password Policy
- Part 5 : How to Enforce Password Policy on Company-owned Devices With MDM
- Part 6 : Common Questions
1What is Corporate Password Policy
When a password policy comes to the company level, it's not just about how many bits a password should be set. Those activities and tools for password management should also take into account.
So, what is a corporate password policy? It's a password strategy brought by an organization and acted on by employees to standardize their use of passwords and further protect corporate assets. The policy should cover the following aspects:
- Password setting requirements
- Regulations for saving, protecting, and managing passwords on work devices
- Guidelines for password security management
- Others include employee education, corporate response if causing severe losses, etc.
A corporate password policy is not carved in stone. Enterprises should review and update their password policies regularly to keep rules effective. Strong company password policies can help handle external cyber threats, unauthorized access, and data breaches caused by human error. It is critical to ensure company data confidentiality, integrity and availability.
2Run-Up: What to Do Before Creating a Company Password Policy
Before making a password policy, organizations need to take some preliminary steps to ensure it will work. Here are the six steps to follow:
1. Know what items the organization needs to set passwords on.
The company should collect corporate assets and identify what requires password protection, such as OA (office automation) systems, computers, laptops, smartphones, work applications, etc.
Notably, it is essential to prioritize these items based on their level of sensitivity and potential impact if compromised. In this way, the IT team can purposefully use password rules with different strengths.
2. Check out high-security authentication methods or technologies.
Single sign-on (SSO), one-time passwords (OTP), two-factor authentication (2FA), and multi-factor authentication (MFA) are commonly used. These methods can significantly enhance the security of user accounts and protect against unauthorized access.
3. Select password management tools for your organization.
There are quite a lot of enterprise-level password managers in the SaaS market. Choose a verified one after viewing its comments and testing. A password manager can help generate complex and unique passwords, multi-verification, alerts, etc.
Besides, you can use MDM or EMM solutions to secure and manage company-owned devices and employee-owned devices. Those tools protect both the physical materials and data. More, creating a password policy, restricting usage of devices and apps, using Kiosk mode, and automatically taking remote workflows are also available.
- Kiosk Mode
- Application Management
- Geofencing & Tracking
4. Assign employees to take over password security and management.
Passwords for corporate assets can be tremendous. Even an employee may have several passwords used during work. Thus, it's necessary to have a specialized team to take over password security and management.
Some tasks they may handle include detecting vulnerabilities, reviewing password logs, taking password reset and change requests, dealing with emergencies like device loss, and training.
With a dedicated team, the organization can ensure that employees follow password policies. And this can help prevent data breaches and improve the overall security posture.
5. Stipulate password-creating and saving requirements for employees.
This makes people more aware of password security and encourages them to create more substantial and complicated passwords.
6. Create an implementation plan for the corporate password security policy.
Outline the strategy, what to do, and the personnel responsible for the work. The plan should also contain detailed guidelines for the best ways to use passwords and the consequences for employees who need to follow them.
37 Password Policy Best Practices to Improve Enterprise Security
Get ready for the preliminaries. It's time to take action. Now, look at the best practices for a good password policy. Here, we list password policies for employees to comply with and how the enterprise can ensure the implementation.
1Set passwords with no less than ten characters.
The recommended password length is 10 characters and above, which makes it more difficult to decipher (Source: www.security.org).
There are many sources online that say 8-digit passcode is the best. It is mainly based on the operating system of devices. However, according to Statista, a machine can now crack an eight-character password in 22 minutes.
The longer the password, the more difficult it is to predict and the more secure it is. This chart can make the relationship more straightforward.
Source: Hive Systems Password Table
But that doesn't mean employees need to set an unrestricted secret code. When creating a work-used password, you should take memory difficulty into consideration. You definitely don't want to reset your password daily because you can't remember it.
Additionally, the password length limits in work devices should also take into account. Setting a password with a suitable length is the best choice. Android devices can store up to 16 characters, while iOS devices are six-digit by default. Computers that run Windows can be defined to a maximum 14-character. If you want to know more about the recommended password policy on mobile devices, here is a tip.
Password Length Best Practice for Mobile Devices
2Contain multi-category characters in the password.
Complexity is another way to improve company password safety. A strong password should contain uppercase letters, lowercase letters, digits from 0–9, and non-alphanumeric characters. Employees are suggested to meet the requirements when creating passwords to prevent easy guessing or brute-force attacks.
Then, what is a strong password look like? Here're some password complexity best practices:
An online strength tester will be efficient if you want to test password strength. Click here to start testing.
3Avoid using repeated characters in the password, but use passphrases instead.
Attackers can quickly guess or crack passwords that use repeated characters or patterns. Thus, to prevent this, employees must not include more than two identical characters (e.g., 111 or aaa) or more than two consecutive characters (e.g., 123 or abc) in work-related passwords.
Passphrase, words with semantic expression, is a best practice of company password policy that is easy to remember but difficult to crack, like "Miloismydog."
4Reset company passwords only if necessary.
How often should employees update their work passwords? The answer is no need to be regular, but when there is a risk of leakage.
According to Business Insider, many cyber security consultants put forward this password reset policy and believe that a strong password is more helpful than changing passwords. Plausibly, resetting passwords too often can increase the possibility of reuse passwords, making them more vulnerable to internet attacks.
Therefore, the organization should illustrate the situations in the corporate password policy for when to reset passwords. For example, when there is a known or suspected compromise, an employee leaves, or the device is lost.
5Identify bad password habits and prohibit them.
Most employees do not realize the severe issues of not keeping passwords. Enterprises should give a favour and make a 'Not-To-Do' list.
Password Policy Best Practices for Regulate Employee Behavior
Don't share passwords at work.
This is quite common among employees. Based on the survey from Beyond Identity, 41.7% of employees have shared their workplace passwords. To whom? Including but not limited to workmates and contractors, but also their families and friends.
The truth is, it's difficult for the organization to track and control others from spreading passwords, especially those who are not working in the office. Losing accounts could happen in a twinkling.
Don't send passwords through email and text.
Speaking of data breaches, emails and text messages are the most significant sources that suffer from online scams. What if employees send passwords via those mediums? Data loss is already a matter of certainty.
Don't save passwords on browser, or add an extra defence.
Of course, saving passwords on a browser is very convenient for work. But once the device is stolen, it turns into a disaster. Thieves can easily enter the company system. As an establishment, it's best to remind employees of this case.
Practically, some employees will not follow if the company requests not to save the password on the browser. To deal with it, the company should bring mobile device management into its corporate password policy as an added security measure.
Don't reuse work passwords across accounts.
A password reuse policy is a must for an organization. Some employees will use one password for work accounts and devices. And the rate is as high as 63%, according to the report from Visual Objects.
Source: Visual Objects
Though it's less hassle for employees to do so, it's riskier for the company. Because once a password is cracked, the company will lose data using the same password. Thus, the company should restrict employees from reusing passwords.
An MDM tool, such as AirDroid Business, allows IT admins to enforce passwords on devices and change them according to company requirements.
14-days Free Trial
6Enforce corporate password policy by using a password manager or device management tools.
Approaching employees for using passwords correctly is not enough yet. Enterprises should make good use of password policy management tools to ensure the company password policy work effectively.
How can companies benefit? Here're some best practices.
Set up an account lockout policy for failed login attempts.
An MDM provider can help secure company devices by blocking unverified access. The IT team is allowed to set up the number of password attempts. If it exceeds, the device will be factory reset.
Enforce password-setting requirements.
In MDM policy, IT admins can configure password policies and apply them to devices, such as password complexity and length. Further, the admin is able to create a lock screen password by himself, and the device user cannot change it.
Automatically screen lock or wipe device data.
Another security feature of MDM is Alerts. In AirDroid Business, the organization can set up trigger conditions such as device motion status, device leaving a specific geographical range, SIM card placed or removed, apps running, etc. Then, set up auto workflow if there is in case of an alarm.
Configure MFA or 2FA.
Additional authentication is available to add on installed apps, emails, websites, cloud storage services and others.
Learn More: MDM solution can help with:
- Policy: disable device features such as USB access, network connectivity, file transfer, etc.
- App Management: allow or disallow to use of certain apps and configure app settings.
- Remote Control: remotely lock screen, wipe data, and factory reset;
- Geofencing: track and monitor device location.
- Alerts & Auto-workflows: set triggers and receive instant notifications; execute preset command automatically once the trigger occurs.
- Others: Kiosk Mode, bulk file transfer, device & user management, etc.
Try AirDroid Business Freely
Beginner's Guide to AirDroid Business MDM
If you want more insights into MDM solution features and device compatibility, check here.
7Educate employees on password creation and protection.
Provide training for employees on creating strong passwords and avoiding bad password habits. Additionally, encourage employees to use password managers to secure workplace passwords. If the company will use device management solutions, it's necessary to inform and explain to employees in advance. Otherwise, those monitoring and enforcement activities may involve privacy disputes.
4Why Organizations Need Corporate Password Policy
● Enhance Data Security
Corporate data is an important asset. It's important enough to determine the fortune of the company. The number of companies that have gone bankrupt due to data breaches is large than expected.
Password, being the first defence to prevent data loss, plays a crucial role. And organizations can further improve security with a comprehensive password policy.
● Facilitate Password and Account Management
With a policy to follow, employees can better protect their work accounts and passwords and raise awareness, and responsible management personnel can also efficiently handle password loss or other accidents.
● Regulatory Compliance
Some industries have legal regulations that require organizations to comply with, such as healthcare. A corporate password policy is a part of enterprise security measures.
5How to Enforce Password Policy on Company-owned Devices and Make Full Use of MDM
To enforce a password policy on company-owned devices, you can use AirDroid Business. Here are the steps to follow:
- Step 1.Create an AirDroid Business account and log in to the admin console.
- You can manage and monitor all company devices remotely, configure apps and updates, and set up security policies to ensure the safety of sensitive data. Click here to sign up freely.
- Step 2.Enroll device to the organization.
- Deploy mobile devices to Device Lists. You can set up different groups to better manage them.
- Step 3.Create a policy configuration file and apply it to devices.
- This will ensure that the devices comply with the organization's security standards and regulations.
- For password policy, you can create rules requiring using the alphabet, number, or both in the passcode, the minimum password length, and the maximum number of failed attempts. Besides, you can create a password yourself and force it on enrolled devices.
- Step 4.Extra features to secure company assets.
- You can configure other policies to work on devices, for example, restrictions on using USB, WiFi, apps, file transfer, etc.
Learn How Our MDM Policy Feature Can Help
What're some authoritative corporate password policy guidelines?
Some authoritative corporate password policy guidelines include those from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Center for Internet Security (CIS).
How employee can protect password in workplace?
Employees can protect their passwords in the workplace by creating strong passwords, not sharing them with others, not sending passwords via emails and text. Click here to learn more.
What are the potential risks if an organization does not take the company password policy seriously?
It can lead to data breaches, legal penalties, and reputational damage.
What tools and technologies can be used to improve password security?
Passphrase generators, password managers, MDM and EMM solutions, biometric authentication, and multi-factor authentication can be used to make passwords safer.
How often should passwords be changed?
Password changes should be based on the organization's policies and risk assessment. Click here to learn more.
How to educate employees for corporate password policy?
Companies can use training sessions, communication and reminders on the importance of strong passwords, and others.