P@$$w0rdP0l!c!3$4Th3W!n

Unpack your "Pirin Tablets" because we're about to dive into the wonderful world of password policies! Yes, I know. Sounds like the most boring topic ever, right? Let's see if I can make this entertaining.

Why do you care? Well, I am going to channel Austin Powers and bring this to you in a 'nutshell'. They're to keep your digital assets and data safe and secure. Done.

Now that we know that here are the most important aspects of password policies (and I really should stop saying, password, but...habit) that you really should know and have configured.

Traditional passwords have a limit to their complexity, are typically not long, and super easy to crack by brute force. So, what do we do about the R.O.U.Ses we call passwords? Pretty simple, use passphrases. This means setting longer entropy character lengths. What do I recommend?

• User Accounts - 16 Characters or Longer
• Administrator Accounts - 25 Characters or Longer
• Service Accounts - These NEVER get rotated/changed, so you better be at 65 characters or Longer. As an incident responder, we see these as initial threat actor access - ALL THE TIME!

Here are the excuses we hear about why companies can't use longer character requirements.

• My users will push back. Honestly, who cares? You are responsible for security and need to legally ensure that Due Care and Due Diligence are used to secure the environment. If you let users dictate an 8-character password length to avoid a little pushback - you may have skin in the game from a liability standpoint should something, go wrong.
• We have legacy systems that won't support proper security. Well, there are a couple of things I can say about that. First, get rid of it. But since we all know that may not happen, create unique accounts for access to those systems, use fine-grained password policies and network segmentation to allow bad practices within a controlled and monitorable environment.

Next up is complexity. Do you force your users to include upper, lower, special characters, numbers, and blood from their first born child in their passwords? Yeah, stop this. Complexity restrictions help hackers know that passwords without those restrictions are not needed - making brute force and other techniques easier. You will also make users happy because they won't need to remember something like "SpringSummer123!". They can use something like "I love to have a cup of coffee with my toast." instead. Easier to remember.

Want to also make your users even happier? Remove forced password changes - or at least make them less frequent. I advise every six months.

Don't forget to have Multi-Factor Authentication in place. If you don't have this already and don't have it in your immediate plans, please give me a shout - and I can arrange for you to spend a little time in 'The Machine'.

Sometimes it is also necessary to put passphrases in jail. Say for example, someone types the wrong passphrase multiple times, this can be an indication someone is trying to hack the account. What to do, What to do?! Lock it out. I like to say, 5 attempts and it is game over. I also like to say, the employee has to call in to get the account unlocked. Why? Because you can verify if it was them or someone else trying to login. From there, you can make smart decisions on how you address the issue. Like G.I Joe says, "knowing is half the battle."

So, was this entertaining enough? Did you learn anything... or do I need to start heading to the tree in the forest with you in a wheelbarrow?

For those that are interested, the movie references in this article are:

• The Princess Bride
• Austin Powers
• The Birdcage