Passwords are one of the most important cornerstones of a successful information security program. Bad passwords are one of the TOP RISKS facing information security departments and many companies have added passwords audits to their organization’s password policy. A password audit begins with an engineer attempting to break the encryption on each password stored on your domain controller in order to identify weak passwords. These decrypted passwords will then be reviewed to identify weaknesses in your policy or policy enforcement.
PeopleSec Recommends The Following:
- Require users have a password that is at least 12 characters.
- Remove complexity requirements to make it easier for users to remember their passwords.
- Use pass-phrases instead of passwords.
- Require users change their passwords at least once every 90 days.
- Educate users on how to choose a secure password.
- When storing passwords use an encrypted password storage tool.
- Test password strength by having a security engineer decrypt your passwords at least once a year.