Kevin Casey of InformationWeek magazine wrote a bit on "9 Password Security Policies For SMBs
" and though mostly OK in the 9, I would add the following to each of the 9 password items mentioned:
1. Password complexity - Should or must be set by GPO or via the OS, Application and Database where available to force policy compliance
2. Password reuse - Can you say LastPass... but really, you can't force user to use unique passwords for each website, but for LastPass users, the LastPass password challenge web page helps to educate the user the impact. Now you just need to test everyone in your organization once they use it to convince them to change the passwords to be unique wherever possible.LastPass User Security Challenge
3. Change Passwords regularly - 30 days ? uhh.. if you force a long complex (meaning 12 characters or more, all 4 char sets aA1!) password via GPO, OS, App or DB level... rotation is not necessary.. 90 days is plenty internally and two (2) times per year for Internet accessible Apps (Expense Watch, SalesForce and Marketo do this now) Logging and monitoring Internet facing systems further mitigates this risk as hopefully failed and successful login attempts with some alerting is being performed.
4. Email accounts - If your email is not tied to AD or some forced policy... Use 2-Factor authentication like Google Authenticator for Cloud based Email
5. Restrict App settings - Anything Internet facing should or must have strict password policies enforced or p0wnage will occur. For Mobile devices in the enterprise, use Mobile Device Management to enforce policy on iDevices, Droid and BBerrys.
6. Password wallet - LastPass again - Yeah !! - You CAN have different passwords for each login.. a GREAT thing. Remembers the URL, username and password of your Web based Apps. You can share logins too and create secure notes. Also sync to mobile devices. The only wallet you will ever want or need. Don't forget to use 2-Factor authentication with the FREE Google Authenticator app on your smart device or a YubiKey. I use both !
7. Device Locking - Who doesn't use a ScreenSaver? On all PC's and laptops enable a 5 minute screensaver... OK.. 10 mins at most. Autolock on handhelds and smartphones to 5 mins... seriously! Use GPO or the OS and App settings and a Mobile Device Manager for your phones and smart devices like BoxTone.
8. Jailbreak or rooted devices - I agree, block them from corporate use, too bad for you... get a personal device if you want to do this, but it is not acceptable for corporate devices - period!
9. Exit Apps - It has been shown that not timing out Web/Browser based apps can be tab nabbed or XSS from the user surfing on other sites and thus steal session and cookie info... Short timeouts for Web based user interfaces is a good thing... annoying to login, but a good thing. Don't save username or password info on Mobile Apps... and time them out to 15 mins. A pain I know, but if all I have to guess is your password... bummer for you. Browsers will sandbox this in the future. Look at the way HootSuite terminates your session for an example. I blogged about this apps session timeout here:Session TimeOut Post
Just some education and things to ponder as you develop and administer your enterprise, SMB or even home systems.InfoWeek article