Security Think Tank: Some basic password guidelines

For quite a few years now, the view I’ve taken on passwords is that I don’t mind if they are written down, but that statement does need some explanation.

Of course, passwords should not be on post-it notes stuck on a monitor, under a keyboard or inside a person’s desk drawer.

My recommendation is to write passwords on a credit card sized piece of stiff paper or cardboard that is kept at all times in a person’s purse or wallet.

Also that the password and the user ID are NOT on the same piece of paper and that any password is at least 12 complex characters, that is upper and lower case alphas, numerals and where permitted printable symbols such as ! and -  (but not & or other SQL [structured query language] recognisable characters) and should not be a recognisable word or well-known abbreviation.

A password longer than 12 characters is to be recommended, such as using a pass phrase, but many systems today still have a limit of 16 characters. 

Following the above recommendations does, in my book, mean that password expiry periods can be extended from the usual 30 days to 90 days.

When should you look at adding two-factor authentication (2FA) of a user? My recommendation here is that 2FA is deployed where it is possible to access sensitive information, be it company sensitive or personal sensitive.

2FA could be a global requirement for accessing a company's network, such as sending a one-time code via text to a person’s mobile at network log-on time, or it could be a secondary log-on when a person attempts to access a system containing sensitive data.

The approach taken will depend on a cost against risk analysis and value at stake (of the sensitive data). .......   ....   ....