If you’ve ever seen Jimmy Kimmel Live, I hope you’ve seen the “What’s your Password” skit. As funny, and as incredibly disappointing this is, it’s real life. We’re not in Kansas anymore folks. Many years ago, all we needed to do to protect our assets was lock our door. Now, our assets are spread across a virtual kingdom.
Our online activities touch almost every aspect of our lives. From banking and shopping to work and communication, our digital presence is widespread. It's crucial to understand the importance of safeguarding your personal and professional accounts. One of the simplest yet most effective ways to do this is by using unique passwords for all your online activities.
By using unique passwords, understanding the power of password length, and the benefits of multi-factor authentication (MFA), you're creating an extra layer of defense against potential threats. Just as you wouldn't hand out copies of your house keys to strangers, avoid using the same password across multiple accounts.
This isn't solely an enterprise concern. If you recycle passwords and a breach occurs, attackers could potentially access your other accounts using that same password. Always opt for distinct passwords and ensure you update any default ones.
Effective password policies are pivotal in safeguarding organizational data. When incorporating MFA into the security infrastructure, enterprises can afford some flexibility in password requirements given the added layer of security MFA provides. However, for accounts without MFA, stricter password policies are crucial. Here's a suggested framework:
- For Users With MFA:
- Password Length: Minimum of 8 characters.
- Password Complexity: Should include at least one uppercase letter, one lowercase letter, one number, and one special character. Passwords with consecutive repeated characters should be avoided.
- Password Rotation: Change every 180 days, with reminders sent starting 15 days prior.
- Password History: Retain the last 5 passwords to prevent reuse.
- Account Lockout: After 5 failed login attempts, accounts should be locked out for 15 minutes or until admin intervention.
- Recovery Options: Ensure recovery options are linked to MFA, such as a code sent to a registered mobile number.
- For Users Without MFA:
- Password Length: Minimum of 14 characters.
- Password Complexity: Must include at least one uppercase letter, one lowercase letter, one number, two special characters, and avoid easily guessable words or combinations. No use of user's name, username, company name, or common words. Passwords with consecutive repeated characters should be avoided.
- Password Rotation: Change every 60 days, with reminders sent starting at 10 days prior.
- Password History: Retain the last 10 passwords to prevent reuse.
- Account Lockout: After 3 failed login attempts, accounts should be locked out for 30 minutes or until admin intervention.
- Recovery Options: Recovery options must be stringent, incorporating security questions, and possibly an additional verification method like email verification.
Here’s a link to an Account and Credential Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6
Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 5 – Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Implementation Group 1
CIS Safeguard 5.2 - Use Unique Passwords
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.