Even though passwords play an ever-crucial in today’s digitally enhanced world, they can be the weakest link in the cybersecurity chain. Compromised passwords account for a significant share of the threat vectors of most cyberattacks. And it’s a no-brainer that the robustness and security of passwords pertain more to the user than the systems they entail. According to reports, around 68% of people reuse the same security passcode for different online accounts, making them more vulnerable to password theft. Following a decent password security policy is essential for every employee. For enterprises, the importance of following multi-faceted password security best practices cannot be overemphasized. And companies in Ontario looking to attain a strong IT and password security posture can refer to The Government of Ontario’s General Security Requirements intended originally for the governments’ network and computer systems.
This article covers the password security policies that must be followed by vendors working with Ontario’s ministries.
Given that passwords are highly sensitive, they must be encrypted in storage and transmission. They should not be cached or stored locally in unencrypted form.
As a part of password security, passwords must never be displayed upon entry. They should be issued to the user directly in person, by telephone or via GO-PKI-protected e-mail.
Users must change the initial passwords upon the first login, and initial passwords should expire within five days of issuance.
Managers ought to convey to users the risks of improper password use. In addition, technical tools have to be in place to revoke credentials when they are no longer required.
Automatic validation of password strength and security must be enforced. There have to be tools to detect and prohibit low-entropy passwords. Companies can conduct periodic audits of password strengths and new systems alongside immediate correction of weak passwords.
Companies can adopt a mechanism to ensure that a user’s password values aren’t reused by a user in 12 consecutive months.
Software that can capture unencrypted passwords must be prohibited.
Passwords for authorized service vendors and the like should be reset upon each use.
Admins with broad rights to IT assets and infrastructure should not share the job function of user password maintenance. In that regard, the administration and use of passwords must be well documented.
Error/exception messages regarding access denials should give the briefest possible explanation.
Emergency passwords have to be changed after use. Necessary controls should be in place for that.
Fifth consecutive incorrect password entry should deny access to users.
Should encrypted passwords be stored in files, there shouldn’t be any descriptive indication of what use/system the password corresponds to unless that information is also encrypted.
Passwords should never be hard-coded into applications, scripts, macros, automatic login processes, or function keys, as attackers can easily discover these.
To know more about implementing holistic password management policies, contact Packetlabs.
When it comes to issuing and selecting passwords, users ought to understand their responsibilities and the risk to IT assets.
Users should reliably recall their passwords, but it shouldn’t be an easy guess for others. Users shouldn’t include easily obtainable personal info on any portion of their username or password.
The passwords must be at least eight characters in length and should contain at least one numeric digit, one uppercase and one lower case letter. The strength and complexity must be in accordance with the business requirement and I&IT assets involved.
Blank/null passwords are prohibited, and all vendor-supplied passwords must be changed upon deployment.
Users should opt for unique passwords for Remote Access Services (RAS) or access to different platforms.
Wherever feasible, the use of ‘passphrases’ is preferable to shorter password values.
Employees and users should not disclose or share their passwords with anyone.
Installing any password completion software or plug-in should be strictly prohibited.
Users should not use password strength checking websites and apps, as they can gather your credentials and sell them to cybercriminals.
Employees should know whom to contact for assistance or report any suspected breach of passwords.
Users are advised to change their passwords at least once every 90 days. On the other hand, system admins must change their passwords every month and should enforce the highest standard of care regarding their credentials. These changes ought to be enforced by uncompromising automated means. It is also crucial to ensure that password changes must not entail trivial altercation of old passwords or easily recognizable patterns/iterations.
Conclusion
The above security measures and standards can help companies attain a robust password security stance and protect users from threats like dictionary attacks, password spraying, and password guessing attacks.
Uncover your password security vulnerabilities and policy loopholes (and more) through Packetlabs.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.