Is your password policy compliant?

Use this checklist as a tool to enforce or strengthen your existing password security.

According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Financial, healthcare and public sector organizations accounted for more than half of the breaches analyzed in this report.

Password strength is an important security concern. Applications must apply constraints to discourage easy to guess passwords to limit password reuse and reduce the effectiveness of brute force attacks.

Requiring a minimum password length of 8 characters that contains an uppercase letter and at least one special character is a good starting point for maximizing strength and minimizing user frustration.

While everyone should apply constraints, some organizations are required to do so by law. In order to comply with a number of well-known industry regulations (like FDA, PCI, HIPAA, SOC2 and NIST) it’s necessary to have stringent password constraints in place. I’ve have outlined a few of these requirements below:

• At least 6, but preferably 8 characters in length
• Passwords cannot be the same as any of the user’s last four passwords
• Passwords must be changed every 90 days

If you are an organization that deals with protected health information (PHI), payment card processing, customer information stored in the cloud, food, drugs or biologics a periodic review of password rules is a vital component of your compliance and security strategies.

Are you compliant?

Download the complete Password Security Compliance Checklist.

It outlines the strict requirements of industry specific password compliance and will help you initiate critical conversations with your engineering, security and governance teams.