Question

Discuss some of the successful user password policies that companies have used for their networks. What are some of the challenges that a company faces when it attempts to implement a very secure and stringent password policy?

Answer 1

1). ANSWER :

GIVENTHAT :

Some successful user password policies used by companies for their networks are the following:

PHP or Password History Policy:

• This policy helps in setting restrictions on how often an old password can be set again.
• It is implemented with at least 10 passwords used in history.
• This policy makes the user limit the number of times they use previous passwords.

PAP or Password Age Policy:

• This policy is used to set a limited time period after which a user is allowed to change it.
• Password age helps in preventing users from changing passwords every now and then.
• Usually, the age set is 7 days but if the users are very prone to modifying the passwords, the age can be increased as well.

PLP or Password Length Policy:

• This policy helps in determining the total number of characters used in a password.
• There is a length set for each password so that it is not easy to crack.
• Usually, for maximum security, the length is set to 14.

Complexity Policy:

• There are certain complexity requirements that should be met by the passwords according to this policy.
• Some of the complexity restrictions are to keep the password a mix of alphanumeric and special symbols.
• The password is restricted to have a name, user name, or any easily identifiable word.

Audit Policy:

• An audit policy is the best way to help keep track of all the password modifications in the company.
• The monitoring helps in tracking security problems if any.
• It also keeps user accountability.
• If there is any security breach, it helps in offering a piece of evidence.

Email notifications:

• Email notifications are the best ways to keep users on track with regard to passwords.
• An automated email notification reminds the user that it is time to change the password.
• If the password is not changed within the given period of time, it will expire and the user might not be able to log in to the account.
• These notifications are sent after a time period before the password expires.

Reversible Encryption Policy:

• Passwords of all the users are stored in a database in the company.
• It is essential to keep them all encrypted.
• By encrypting the data, no malicious user will be able to read it.

There are the following challenges faced by companies while trying to implement a secure password policy:

Forced Changes and complexity challenges:

• Password forced changes are not taken in a good light by the staff members sometimes.
• They have to change the password after a couple of days and they may demand this policy to be implemented for sensitive accounts only.
• Even when the passwords are made complex they are not always difficult to crack.
• For example, a user might want to keep the length 14 and use all the rules of password policy and the password looks like Name@123@45678 which is not very hard to crack by the hackers.

Staff Challenges:

• It is very important that peers avoid sharing their passwords with each other or with people outside the company. This represents a risk in the future.
• They should also not write these passwords down on paper etc.
• Different accounts should have different passwords.

Weak Lock-out:

• Hackers use brute force to get into systems.
• They try to use different passwords with different combinations and land on the right one eventually.
• Lock-out makes sure that after 2-3 attempts the system is locked for some time.
• If this policy is not strong, a security breach is easier to happen.