Our New Employee Password Policy Standards

Q&A with Tammy Huie, Security Compliance Analyst @ Personal Capital

Max Mautner
Sep 12, 2018 · 2 min read
Image for post
Image for post
Password rotation

What has been Personal Capital’s historical approach to password security?

Previously, we required complex passwords. The prevailing belief at the time was that the more complex a password then the more difficult it was to crack.

This meant Personal Capital employees’ passwords strictly had to have upper and lower-case letters, a number, and a special character — in addition to being a minimum # of characters.

This was in addition to periodically requiring team members to change their password every few months.

What prompted a change in password policy?

There’s been industry recognition that people often forget complicated passwords, which is a categorically bad thing. The National Institute of Standards and Technology (NIST) even updated their password security standard to remove the complexity and regular password change recommendations. [See NIST’s SP 800–63 Digital Identity Guidelines]

By forcing users to create complex passwords we increase the likelihood of users choosing predictable passwords or writing their passwords down, which makes passwords inherently easier to hack.

Image for post
Image for post

So how did password policy change to address these security risks?

The solution we adopted to combat these risks has been to allow users to pick more memorable passwords by relaxing both our complexity requirements and our forced password expirations.

We now encourage users to pick long passphrases, as opposed to passwords which can include spaces.

Separate security policies augment our password policies, for example requiring multi-factor authentication (MFA).

MFA is a huge topic unto itself and we’ll cover in a future Q&A.

What’s your take on password security best practices?

Image for post
Image for post

Best practice is to keep a different password for every single account (e.g. email/bank/etc.) — this hasn’t changed.

However, the average person has 50–100 accounts.

I recommend you use a password manager — so that you only have to remember a single password while retaining unique passwords for all 50–100 of your accounts. We apply this ourselves as everyone at Personal Capital utilizes our password manager.

Turn on mandatory multi-factor authentication for all sensitive accounts — especially for your primary email account.

This is critical since your primary email account is often used for password reset emails — making it your number one priority to secure.

Personal Capital Tech Blog

We are Personal Capital's Engineering team.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store