How to Best Meet Password Security Compliance Requirements
Compliance is one of the main concerns of nearly every business owner I consult with, and for good reason. After all, nearly every business is held to data security standards set by an industry or government organization.
When a business’s data becomes compromised in a security breach, the result can be devastating; think big fines, public scrutiny, and a serious loss of customer confidence.
Password security is a major component of data security, but when I talk to business owners and IT managers about their password systems, I often get the sense that they know their password systems are severely lacking. They feel vaguely worried about it, but don’t know how to fix the problem—or even where to begin.
It’s true that password security compliance can be confusing; different businesses are required to meet different password standards depending upon the type of data they handle, and password compliance guidelines are always changing. You can make sure that your business is prepared for success by ensuring that the password best practices below are being followed:
Strengthen your passwords
In an analysis of passwords stolen from Myspace.com users in a recent phishing attack, two of the most popular passwords used were “password” and “myspace.” Believe it or not, “password” remains one of the most popular passwords today, even as more applications require the user to use a number or capitalized letter (so people use “Password123.” Creative, right?). It’s also one of the easiest to guess. Businesses should require their employees to create unique, hard-to-guess passwords that don’t include the word “password,” the name of the application, or any part of their name. Employees should also be required to immediately change any default passwords given to them by vendors, including sites or applications. (This is a password compliance requirement of the Payment Card Industry Data Security Standard, or PCI-DSS, which applies to any business that accepts payment via credit or debit card).
Change your passwords frequently
When creating a password policy for your business and employees, require that all passwords be changed every 30, 60, or 90 days depending upon the nature and volume of the data you handle and your compliance obligations. If you have passwords that you use more frequently, they are higher risk and should be expired even sooner.
Consider multi-factor authentication.
The U.S. government has identified three factors that can be used as part of its authentication process, and these factors have become standard in security guidelines. The three factors are knowledge (something you know), possession (something you have), and inherence (something you are). A business that uses only passwords for data access is using one-factor authentication—the user must only enter a password (something they know) to gain access. Adding another required factor as part of the authentication process, like a one-time-only numeric code from a token (something the user has) or a biometric fingerprint scan (something the user is) is called multi factor authentication, and adds an extra layer of security that can make a huge difference if someone is attempting to invade your systems. Multi-factor authentication is gaining in popularity and is likely to become commonplace in the near future. Google and Facebook are already offering multi-factor authentication as an option; the FBI recently began requiring that all agencies use multi-factor authentication to access criminal records. PCI-DSS also requires multi-factor authentication for remote access to cardholder data.
If you’re in the market for a multi-factor authentication software solution, check out our helpful guide, “12 Questions You Need to Ask Your Multi-Factor Authentication Vendor.” You can also download it by clicking on the image at the end of this article.
Provide employee training on password best practices.
In order to be effective, a password policy must be followed. If you are relying on your employees to follow an effective password policy, it’s important to give your employees the background on password security (why it’s so important, and what’s at stake) as well as tips for password management and safety. Employees should know how to create a strong password, how often they should change it, and how they should and shouldn’t store their password information.
Use a password management system.
I strongly advise all business clients to use password management software regardless of the size of their business. There are just so many passwords used on a day-to-day basis in a business, and managing them all effectively is nearly impossible. Using password management software allows you to easily enforce a smart password policy—automate strong password generation, automate the changing of passwords every three, six, or nine months, decide what permissions are authorized to who, and more. It really reduces the “human error” factor.