Building password policies for your customers can be complicated. You need to find the right mix of convenience, yet security. You will want to be careful not to make the policy too strict or no one will use it and you’ll find yourself with more security issues. That said, you want to also make sure it is not too relaxed, or you’ll be more vulnerable. So how do you create a policy that works?
Let’s discuss some tips on creating password policies for your customers.
1. Password Changes
First things first, make sure you consider how often passwords need to be changed. Ideally, you have your customers change their passwords every 90 days, or 180 days at the most. A forced password reset helps protect against undiscovered breaches.
While requiring a forced password change is a good first step, you will also want to include a requirement that the password must be different. Recycling passwords is not recommended, nor is using a “new” password with one character changed. Make sure you require the new passwords to be new.
2. Password Complexity
Next, we are going to discuss password complexity. Just like your password change frequency, there are several options for ensuring passwords are more complex just by meeting different requirements.
One example is character sets. The more required types, the more complex the password will be. A suggested rule would be to require upper case, lower case, numbers, and symbols. This can easily take a simple password and increase the complexity. A random word like “keyboard” would become “k3ybO@rd”.
The next example is forbidden words. This should include any part of the username or login, name of the service, name of the company, or personal information (ie birthday or ID number). This is very straight forward, but highly recommended.
The third factor is password length. A recommended length is between 8 and 15 characters. One recommendation for your customers is to use passphrases to make the password easier for them to remember, but not something anyone else would guess.
While you can’t control this, I would recommend educating your customers on why they shouldn’t use the same password for everything. Each login needs to have a unique password. Everything from their online banking to Facebook should have a different password. This helps them protect themselves in all aspects of their life. One way you can help your customer is to offer a password manager solution. There are several out there, but this can help encourage them to create unique passwords for each login.
3. Multi-Factor Authentication (MFA)
Last, but not least, utilizing multi-factor authentication, when available, can help create an even more secure login. This can make logging in easier, but more secure depending on the authentication options offered. While this trend is still growing, more and more options are becoming available. Click here to read about how MFA can help protect you.
Now that we’ve went over some tips on creating the password policies, we are going to discuss how to communicate them with your customers.
1. New Account Agreement
New account agreements would be the easiest place to start. Within your current agreement, you can go back through and add a section that lays out the password policy for all customers. This should indicate to them your expectations of their users, but it also helps protect you if a breach were to occur. If it comes down to a user not following your policy, it makes the company accountable for their users’ actions.
2. Adding an Amendment to Current Agreements
Just like the new account agreement, you can go back to current agreements and add in an amendment that includes the new password policy. The sooner the better, but during their agreement renewal period would be the easiest to make the revision. When doing so, make sure to explain to your customer so they understand what you are adding and why. This can help ensure they take steps to let their users know, which will hopefully help avoid any future incidents.
3. Employee Handbook
The last suggestion is to include it in their employee handbook. While you don’t have direct control over this, you can take steps to help the company make it easy for them to add the policy to the handbook. You can write up what needs to be added and then explain to them what that means from their perspective as far as expectations. This is a good way for you to hold your customers accountable, but also for them to hold their users accountable.