The following example password policy takes into account the state of the art about the performance and capabilities of various types of attacks on cryptographic systems in 2020. If possible, I will try to update it (when it turns out that it is already too weak).
Static passwords in IT systems should:
- be of not less than 12 characters in length;
- contain characters from at least three of the following four categories:
- large characters A to Z
- characters small from a to z
- digits 0 to 9
- special characters (e.g. !,.$^)
- Be different from the 1,000 most popular passwords
- Do not include words that are your login, company name, app name, email address, name, username;
- be stored in a secure form using functions such as bcrypt or PBKDF2;
A lot of useful information about password policy and correct and secure implementation of the authentication process can be found in the materials OWASP – Authentication Cheat Sheet
In most cases, you don't know how your passwords are stored on websites. Your administrator may not have implemented any mechanisms to protect your data. That's why you have to keep them safe. To protect yourself from the scenario of leaking your password from a website and the attacker using that password on another portal where you have an account, you should use a different password on each page. Given the multitude of portals in which we rotate nowadays and the complexity of the slogans quoted in the above policy, it is eriterity to remember them all. Here, a password manager comes to our aid. You remember one complicated password, and the rest will take care of it. One of the safe and recommended password managers is KeePass.
Using password managers has a number of additional benefits, such as:
- Automatically generate complex, secure passwords
- Automatic backups
- Access your passwords on multiple devices (e.g. via gdrive)
- The ability to synchronize data between devices;
- Automatic data encryption
- automatic filling in of forms on websites;
To further enhance the security of our data, it's a good idea to run two-factor authentication wherever possible. For many years, this service has been available on services such as Facebook, Gmail, and recently banks have joined this group as a result of legal requirements. An additional factor of authenticity, e.g. in the form of a sms code that comes to your phone, significantly increases the level of security of your account.
Passwords surround us everywhere. With the ever-increasing trend of online attacks, it is worth improving the level of security of your data. Introducing a password policy is a good way to do that.