search
Where Thought Leaders go for Growth
Reference a solution

10 tips for an effective password policy

10 tips for an effective password policy

By Jennifer Montérémal

Published: 28 October 2024

Has your company already introduced a password policy?

You might think that generating strong passwords (length, upper and lower case, numbers, etc.) would be enough to protect access to your organisation's various accounts and data. But while this is a good start, it is advisable to go further. All the more so in a working environment that is becoming more complex by the day, with the proliferation of work tools.

A good password policy comes with a number of rules that need to be observed to ensure optimum security. At the same time, it must take into account the user experience.

Would you like to see an example of an effective password policy? Read this article and get inspired by our 10 tips.

What is a corporate password policy?

Password policy: definition

A password policy is a policy established within a company, usually by the IT department, with the aim of defining the way in which :

  • how passwords are created
  • but also used,

employee passwords are created and used.

Its aim is to increase the security of access to the company's various tools and information.

☝️ The performance of your password policy can only be guaranteed if it is made perfectly clear to employees and fully integrated into the company's overall security strategy.

Example of a password management policy

ANSSI password policy

One of the benchmarks for password policies is .

You can download a document from their website containing all their recommendations on password security.

We will also be adopting some of the advice given by the ANSSI, particularly that relating to the creation of strong passwords.

Active Directory password policy

Another example is the Active Directory password policy.

Many organisations operating in a Microsoft environment use this structure to centrally manage the identification and authentication of their computer network.

In this case, the various rules are deployed :

  • either via GPOs (Group Policy Objects): there is only one password policy applicable to all employees operating on the same domain;
  • or via FGPPs (granular password policies): these allow different policies to be developed for different users in the same domain. We'll come back to this point later.

For this article, let's keep things simple and focus on the main best practices to follow, taken from the recommendations of various reference bodies (CNIL password policy, ANSSI, etc.).

Tip 1: Create a complex, secure password

What is a complex password?

There are a number of rules for creating a complex password. This way, it will prove difficult to bypass, even by hackers with automated tools.

💡 By using a strong password, you are better protected against :

  • brute force attacks, which involve testing different combinations until you find the right one ;
  • dictionary attacks (trying out all the words in the dictionary).

Composition of a complex password :

It must contain :

  • at least 8 characters. ANSSI even recommends a minimum length of 12 characters,
  • special characters, such as punctuation marks,
  • numbers,
  • upper and lower case letters.

Don't use words from the dictionary or proper nouns, which are far too vulnerable to the technologies used by hackers.

Finally, avoid dates or elements that refer to personal information (your date of birth, for example).

Example of a strong password: Lm%zeR5aa9m $

How do I create a secure password?

There are several ways of doing this. But bear in mind that the perfect password needs to be strong... but also easy to remember! Otherwise, the user may behave in a way that compromises its security, such as writing it down on paper or on a computer file.

So, even if you can use a complex password generator, opt for a method that allows you to remember them easily.

💡 Here's one recommended by ANSSI:

  • Choose a sentence, long enough and containing numbers, figures and ideally special characters (a quote, a proverb, the extract from a song, etc.). Example:

Better to be the man of one master than the man of ten books
  • Keep the first letters, numbers and special characters. You can also add capital letters for added security:
Mvel'Hd'1smql'Hd10l

Discover other methods for generating memorable passwords in our dedicated article.

Tip 2: Renew your passwords regularly

Even a strong password can be compromised over time. We therefore recommend that you change them regularly. ANSSI even recommends renewing them every 90 days.

You are also strongly advised to change your password at the slightest suspicion of a security breach. This could be the case if you learn that one of the companies with which you have an account has been hacked.

☝️ Beware: if the validity periods are too short, users are tempted to use weaker passwords or passwords that are similar to previous ones, to make them easier to remember.

This is why a compromise needs to be found. For example, an Active Directory password policy makes it possible to apply different rules to different profiles. Within this framework, the administrator can require more frequent renewal for users who are in greater contact with the company's sensitive data (and who are aware of what is at stake), such as members of management.

Tip 3: Keep passwords confidential

To protect your passwords, and therefore access to your information systems, you need to ensure complete confidentiality.

Here are 8 rules to follow:

  1. Never share your password, even with an administrator or line manager.
  2. Do not ask a third party to generate a password for you.
  3. Change the default password assigned to you by the company's administrators the first time you log on.
  4. Never give out your password by e-mail, telephone or text message.
  5. Do not write down your login details on paper.
  6. Nor should you write them down in a computer file such as Excel.
  7. Never re-use a password that you have already used in the past.
  8. When you use a shared connection (a wifi connection in a hotel, for example), opt for private browsing or use a VPN. This will limit the traces you leave behind.

Tip 4: Use different passwords for different services

We recommend that you do not use the same password for different services (use similar identifiers for your work email and your private mailbox, for example).

If a hacking attempt succeeds, the hacker will be able to test it automatically in order to access different sites and work tools. And a large part of your company's information system could be compromised!

Tip 5: Carefully manage connection and disconnection to different services

Here are 3 precepts to follow:

  1. Always disconnect when you leave a service.
  2. Configure your software and web browsers so that they don't remember your passwords. Otherwise, if someone with malicious intent takes control of your session, they will have easy access to all your identifiers.
  3. Programme your computer to go into standby mode after a certain period of inactivity. This will protect it from malicious eyes when you're away for a while.

Tip 6: Activate dual authentication if possible

Some services offer dual authentication, or strong authentication.

This technology involves at least two different procedures for logging in. For example :

  • a memorised authentication factor, like the traditional login/password pair,
  • and a physical authentication factor, such as a mobile phone that sends you a temporary code by text message.

💡There are also biometric factors, relating to a person, such as a fingerprint.

The strong authentication method is available for many services, such as Google Workspace.

Tip 7: Raise employee awareness

Of course, a company's password policy is only effective if there is a real effort to raise awareness among employees.

It is therefore advisable to inform users about :

  • the risks involved
  • their scope (not everyone is aware that if their workstation is vulnerable, the company's entire information system could be compromised),
  • the best practices to adopt.

Tip 8: Carry out checks and audits

As far as the administrator is concerned, regular checks and audits should be carried out in order to :

  • check the strength of the passwords used by employees
  • detect any other security flaws,
  • contact a "careless" employee so that corrective action can be taken.

💡These checks can be carried out through an ethical hacking company, whose mission is to identify security flaws in companies.

They can also be carried out in-house. As we shall see later, some software packages generate an inventory of the passwords used by employees (are they weak? duplicated? used for different accounts?). The administrator can then go and see the employee to raise awareness and suggest areas for improvement.

Tip 9: Use password policy management tools

There are tools available to support the deployment of a password policy within the company (not to be confused with a password manager).

One such solution is Specops Password Policy, which has the particularity of supporting organisations operating via Active Directory. With this software, you can :

  • ensure that the password policies used in the company comply with security recommendations (composition, password length, short lifetime, etc.) ;
  • Block weak passwords and compromised passwords with a list of over 2 billion passwords;
  • carry out audits to detect insecure passwords, and send messages to users to encourage them to apply good practice.

Tip 10: Use a password manager

Remembering all your different passwords (which must be unique) can be tedious... if not mission impossible. The human brain is not calibrated for this.

As a result, users are often tempted to resort to dangerous methods (such as writing down their identifiers on a file).

That's why we recommend using a password manager like LockPass. This software, which is 100% French and ANSSI-certified, offers a number of advantages:

  • you only need to remember a master password to access all your logins. Users can connect directly to their different accounts using a browser plug-in, without having to enter their passwords each time;
  • At the same time, administrators can define a password policy at an organisational level, or at a more macro level (for teams handling sensitive data, for example).At the same time, administrators can define a password policy at the level of the organisation or on a more macro level (for teams handling sensitive data, for example), so that each password added to the safe meets the predefined criteria. Real-time mapping of all the company's identifiers enables them to ensure compliance with the established rules.

So there are many solutions available on the market to help you implement an effective password policy within your company... without compromising the user experience.

Article translated from French