Password Security Best Practices

There has been many security and data breaches in recent days where email accounts were hacked from individuals and sensitive data like credit card #, social security #, driver’s license #, and etc. were stolen from companies of all sizes.  Here’s a list of some of the largest data breaches of all time.

  • Anthem, 2015: 69 million to 80 million records compromised
  • Home Depot, 2014: 56 million payment cards compromised
  • Target Stores, 2013: 110 million records compromised
  • Sony online entertainment services, 2011: 102 million records compromised
  • Heartland Payment Systems, 2008-2009: 130 million records compromised
  • National Archive and Records Administration, 2008: 76 million records compromised
  • Epsilon, 2011: 60 million to 250 million records compromised

Although  we can’t be 100% secure, there are some steps that we can take to minimize the exposure or at least deter hackers from breaking into our private accounts. In this article, I will discuss the best password configuration settings to help you sleep better at night. The following best practices are geared towards the server settings at the enterprises. For personal password security best practices, read how to create strong secure passwords.

  • User passwords expire at most after 90 days.
  • User passwords must be a minimum of eight characters.
  • Password complexity is enabled, with a password requiring at least numeric and alphabetic characters including upper and lower case.
  • New passwords cannot be the same as any of the past four or more passwords (i.e., password history greater than four).
  • Accounts are locked out after no more than six invalid login attempts.
  • An invalid login attempt lockout lasts at least 30 minutes or until an administrator reactivates the account.
  • User sessions terminate or lock after, at most, 15 minutes.

By the way, these settings are 100% compliance with PCI DSS.

Run the following command to review your password/authentication settings:

  • Windows commands: “SecEdit /export /cfg C:\outputfile.txt”
  • IOS: “show run,” set via “security passwords min-length”
  • *nix: various settings usually in “/etc/pam.d/”

Leave a Reply