search
Where Thought Leaders go for Growth
Reference a solution

10 tips for an effective password policy

10 tips for an effective password policy

By Jennifer Montérémal

Published: October 28, 2024

Has your company already introduced a password policy?

You might think that generating strong passwords (length, upper case, lower case, numbers, etc.) would be enough to protect access to your organization's various accounts and data. But while this is a good start, it's advisable to go further. All the more so in today's increasingly complex working environment, with the multiplication of work tools.

A good password policy therefore comes with a number of rules that need to be observed to ensure an optimum level of security. At the same time, it must take into account the user experience.

Would you like to discover an example of an effective password policy? Read this article and get inspired by our 10 tips.

What is a corporate password policy?

Password policy: definition

A password policy is a policy established within a company, usually by the IT department, with the aim of defining the way :

  • how passwords are created,
  • but also used,

are created and used.

Its aim is to increase the security of access to the company's various tools and information.

☝️ The performance of your password policy can only be guaranteed if it is made perfectly clear to employees, and fully integrated into the company's overall security strategy.

Example of a password management policy

ANSSI password policy

One of the leading authorities on password policy is .

On their website, you can download a document containing all their recommendations on password security.

We'll also be taking up some of the ANSSI's recommendations, particularly those relating to the creation of strong passwords.

Active Directory password policy

Another example is Active Directory password policy.

Many organizations, operating under a Microsoft environment, rely on this structure to centrally manage the identification and authentication of their computer network.

In this case, the various rules are deployed :

  • via GPOs (Group Policy Objects): there is a single password policy applicable to all employees operating on the same domain;
  • or via FGPPs (granular password policies): on the contrary, they allow the development of different policies for different users in the same domain. We'll come back to this point later.

For the purposes of this article, let's keep things simple and focus on the main best practices to follow, taken from the recommendations of various reference organizations (CNIL password policy, ANSSI, etc.).

Tip no. 1: create a complex, secure password

What is a complex password?

The creation of a complex password follows a number of rules. In this way, it will prove difficult to circumvent, even by hackers with automated tools.

💡 By using a strong password, you protect yourself more effectively against :

  • brute-force attacks, which involve testing different combinations until you find the right one ;
  • or from dictionary attacks (trying out all the words in the dictionary).

Composition of a complex password :

It must contain :

  • at least 8 characters. ANSSI even recommends a minimum length of 12 characters,
  • special characters, such as punctuation marks,
  • numbers,
  • upper and lower case letters.

Furthermore, don't use words from the dictionary or proper nouns, which are far too vulnerable to the technologies used by hackers.

Finally, avoid dates or elements that refer to personal information (your date of birth, for example).

Example of a strong password: Lm%zeR5aa9m $

How do I create a secure password?

There are several ways of doing this. But keep in mind that the perfect password needs to be strong... but also easy to remember! Otherwise, the user may behave in a way that compromises security, such as writing it down on a piece of paper or a computer file.

So, even if it's possible to use a complex password generator, opt for a method that allows you to remember them easily.

💡 Here's one recommended by ANSSI:

  • Choose a sentence, long enough and containing numbers, figures and ideally special characters (a quotation, a proverb, the extract from a song, etc.). Example:

Better to be the man of one master than the man of ten books
  • Keep the first letters, numbers and special characters. You can also add capital letters for added security:
Mvel'Hd'1smql'Hd10l

Discover other methods of generating memorable passwords in our dedicated article.

Tip 2: Renew your passwords regularly

Even a strong password can be compromised over time. We therefore recommend that you change them regularly. ANSSI even recommends renewal every 90 days.

On the other hand, we strongly advise you to change your password at the slightest suspicion of a security breach. This could be the case if you learn that one of the companies with which you have an account has been hacked.

☝️ Beware, if the validity periods are too short, users are tempted to use weaker passwords or passwords similar to previous ones, to make them easier to remember.

This is why a compromise must be found. For example, an Active Directory password policy enables different rules to be applied to different profiles. Within this framework, the administrator can require more frequent renewal for users who are more in contact with the company's sensitive data (and aware of the stakes involved), such as members of management.

Tip 3: Keep passwords confidential

To protect your passwords, and therefore access to your information systems, you need to ensure total confidentiality.

Here are 8 rules to follow:

  1. Never share your password, even with an administrator or line manager.
  2. Never ask a third party to generate a password for you.
  3. When you first log on, change the password assigned to you by default by the company's administrators.
  4. Never give out your password by e-mail, telephone or SMS.
  5. Don't write down your login details on paper.
  6. Nor should you write them down in a computer file, such as Excel.
  7. Never re-use a password you've used in the past.
  8. When using a shared connection (such as a hotel wifi connection), use private browsing or a VPN. This will limit the traces you leave behind.

Tip 4: Use different passwords for different services

We recommend that you don't use the same password for different services (e.g. use similar logins for your work e-mail and your private mailbox).

Indeed, if a hacking attempt succeeds, the hacker will be able to test it automatically in order to access different sites and work tools. And a large part of your company's information system could be compromised!

Tip 5: Carefully manage connection and disconnection to different services

Here are 3 precepts to follow:

  1. Always log off when you leave a service.
  2. Configure your software and web browsers so that they don't remember your passwords. Otherwise, if an ill-intentioned person takes control of your session, he or she will have easy access to all your credentials.
  3. Program your computer to go into sleep mode after a certain period of inactivity. This protects it from malicious eyes when you're away for a while.

Tip 6: Enable dual authentication where possible

Some services offer double authentication, or strong authentication.

This technology involves at least two different procedures for logging in. For example

  • a memorized authentication factor, like the traditional login/password pair,
  • and a hardware factor, such as a cell phone that sends you a temporary code by SMS.

💡There are also biometric factors, relative to a person, such as a fingerprint.

The strong authentication method is available for many services, such as Google Workspace.

Tip 7: Raise employee awareness

Of course, a company's password policy is only effective if employees are made fully aware of it.

It is therefore advisable to inform users about :

  • the risks involved,
  • their scope (not everyone is aware that if their workstation is vulnerable, the company's entire information system could be compromised),
  • the best practices to adopt.

Tip 8: Carry out checks and audits

On the administrator's side, you need to carry out regular checks and audits in order to :

  • check the robustness of passwords used by employees,
  • detect any other security flaws,
  • contact a "careless" employee so that corrective action can be taken.

💡These checks can be carried out through an ethical hacking company, whose mission is to identify corporate security flaws.

They can also be carried out in-house. As we'll see later, some software programs generate an inventory of the passwords used by employees (are they weak? duplicated? used for different accounts?). The administrator is then able to visit the employee to raise awareness and suggest areas for improvement.

Tip 9: Use password policy management tools

There are tools available to support the deployment of a corporate password policy (not to be confused with a password manager).

One such solution is Specops Password Policy, which supports organizations operating via Active Directory. With this software, you can :

  • ensure that the password policies used in your company comply with security recommendations (composition, password length, short lifetime, etc.) ;
  • block weak and compromised passwords with a list of over 2 billion passwords;
  • carry out audits to detect insecure passwords, and send messages to users to encourage them to apply best practices.

Tip 10: Use a password manager

Keeping track of all your different passwords (which, let's not forget, must be unique) can be tedious... if not mission impossible. The human brain is not calibrated for this.

As a result, users are often tempted to resort to dangerous methods (such as writing down their credentials on a file).

That's why we recommend a password manager like LockPass. With this 100% French software, certified by ANSSI, you benefit from a number of advantages:

  • only a master password needs to be memorized to access all logins. Users can connect directly to their various accounts via a browser plug-in, without having to enter their passwords each time;
  • at the same time, administrators can define a password policy for the entire organization, or at a more macro level (for teams handling sensitive data, for example).At the same time, administrators can define a password policy for the organization as a whole, or on a more macro level (for teams handling sensitive data, for example), to ensure that each password added to the safe meets predefined criteria. Real-time mapping of all the company's identifiers enables them to ensure compliance with the established rules.

Numerous solutions are therefore available on the market, to facilitate the implementation of an effective password policy within your company... without compromising the user experience.

Article translated from French