Our New Employee Password Policy Standards
Q&A with Tammy Huie, Security Compliance Analyst @ Personal Capital
What has been Personal Capital’s historical approach to password security?
Previously, we required complex passwords. The prevailing belief at the time was that the more complex a password then the more difficult it was to crack.
This meant Personal Capital employees’ passwords strictly had to have upper and lower-case letters, a number, and a special character — in addition to being a minimum # of characters.
This was in addition to periodically requiring team members to change their password every few months.
What prompted a change in password policy?
There’s been industry recognition that people often forget complicated passwords, which is a categorically bad thing. The National Institute of Standards and Technology (NIST) even updated their password security standard to remove the complexity and regular password change recommendations. [See NIST’s SP 800–63 Digital Identity Guidelines]
By forcing users to create complex passwords we increase the likelihood of users choosing predictable passwords or writing their passwords down, which makes passwords inherently easier to hack.
So how did password policy change to address these security risks?
The solution we adopted to combat these risks has been to allow users to pick more memorable passwords by relaxing both our complexity requirements and our forced password expirations.
We now encourage users to pick long passphrases, as opposed to passwords which can include spaces.
Separate security policies augment our password policies, for example requiring multi-factor authentication (MFA).
MFA is a huge topic unto itself and we’ll cover in a future Q&A.
What’s your take on password security best practices?
Best practice is to keep a different password for every single account (e.g. email/bank/etc.) — this hasn’t changed.
However, the average person has 50–100 accounts.
I recommend you use a password manager — so that you only have to remember a single password while retaining unique passwords for all 50–100 of your accounts. We apply this ourselves as everyone at Personal Capital utilizes our password manager.
Turn on mandatory multi-factor authentication for all sensitive accounts — especially for your primary email account.
This is critical since your primary email account is often used for password reset emails — making it your number one priority to secure.