What Guidelines Are Essential for Creating a Robust Password Policy?

    N

    What Guidelines Are Essential for Creating a Robust Password Policy?

    In the ever-evolving landscape of digital security, we turned to top cybersecurity experts to share their wisdom on crafting a strong password policy. From advocating for 256-bit encryption to encouraging the use of memorable passphrases for enhanced security, we've compiled five critical guidelines from CEOs and Managing Directors. Discover their trusted strategies to protect your organization's data.

    • Advocate for 256-Bit Encryption
    • Enforce Complex Passwords and Two-Factor
    • Promote Password Management Software Use
    • Recommend Random Passwords with Managers
    • Encourage Memorable Passphrases for Security

    Advocate for 256-Bit Encryption

    Think of 256-bit encryption as a fortress for your digital world. It creates a mind-boggling number of possible combinations, making it practically uncrackable, even with the most powerful supercomputers.

    In today's world, where cyber threats are constantly evolving, we believe that a strong password policy shouldn't just be about compliance – it should be about giving our users the confidence to navigate the digital world without fear. That's why we advocate for a combination of memorable passphrases and robust encryption like 256-bit.

    It's a simple yet effective strategy that puts the power back in the hands of our users. It's about creating a security culture where strong passwords are easy to create, easy to remember, and most importantly, incredibly difficult to crack.

    Enforce Complex Passwords and Two-Factor

    One guideline I always follow is to require strong, complex passwords with a minimum of 12 characters, including numbers and symbols. Short or simple passwords are easily guessed or hacked. I enforce that passwords be changed every 90 days and never reused across systems. If one account is compromised, others are at risk.

    Two-factor authentication is critical for sensitive data. By requiring not just a password but also a code sent to a mobile device, access becomes much more secure. If a password is stolen, an attacker still can't log in without the code.

    These policies, proven through analyses of major data breaches, significantly reduce the chance of compromise. The longer and more complex the password, the lower the chance of hacking. Frequent changes and reuse prevention also improve security. And two-factor authentication cuts unauthorized access by over 99%. Following these guidelines builds a robust password policy to protect systems and data.

    Louis Balla
    Louis BallaVP of Sales & Partner, Nuage

    Promote Password Management Software Use

    People have multiple passwords, and passwords need to be long, complex, and unique. If you don't give people a mechanism to easily create and remember passwords, then their passwords will not be long, complex, and unique, as otherwise they'd forget them. This obviously presents a massive cyber risk to organizations.

    So, a password policy should refer to the use of password management software, which should be provided for all staff to use, and it should direct them to training on how to use this software appropriately.

    Mike Ouwerkerk
    Mike OuwerkerkFun, Engaging Cyber Security Awareness Trainer & Cultural Transformation Consultant, Web Safe Staff

    Recommend Random Passwords with Managers

    You shouldn't know your password—this is our guiding principle at CloudTech24. The most robust passwords are random strings of letters, numbers, and characters. So random that it's unlikely you would remember it for one site (and impossible for multiple sites).

    In this case, we recommend using a password manager. We encourage our new employees to install and use a password manager when they start with us. This is the best way to store your passwords securely without having to write down a single password.

    Craig Bird
    Craig BirdManaging Director, CloudTech24

    Encourage Memorable Passphrases for Security

    In our company, an encrypted email service, we use passphrases, which is a well-known and very robust password strategy. Instead of the usual short, complex passwords, a passphrase is just a string of random words or a meaningful sentence, for instance, something like "TodayCatRainBeautiful!" or "FamilyAndFriendsAreAllThatMatter." It's longer, but that's the point.

    The extra length makes it way harder for anyone to crack, and the best part is it's easier to remember than something like "P@ssw0rd123". At Tuta Mail, we have even built a passphrase creator into our client at sign-up so that non-tech people can also start using passphrases easily. Unfortunately, many still don't know the benefits of passphrases; yet, they should!

    The reason passphrases work so well is that they're both secure and user-friendly. With traditional passwords, people often end up using risky shortcuts: they write down their passwords or use the same password everywhere—because they're hard to remember. Passphrases solve this problem by being memorable but still super tough for hackers to guess. Longer passphrases mean a whole lot more combinations to try out, so it's much harder for someone to break in.

    For us in IT, pushing for passphrases makes our lives easier, too. We can boost security without making users frustrated with overly complex passwords. People are more likely to stick to the policy when they don't have to deal with remembering a bunch of random characters. Plus, it helps us build a stronger security culture without adding extra hassle for everyone involved.

    So, in a nutshell, at Tuta we are fans of passphrases because they're the perfect mix of security and simplicity. They're easier to remember, harder to crack, and help keep everyone on board with good security practices. If you're ready for the next tip as well: start using a password manager—which will make remembering passwords or passphrases even easier!

    Arne Möhle
    Arne MöhleCo-Founder & CEO, Tuta