Password Tip #5: Policy

I’ve been giving you tips to help improve how you handle passwords — the keys to online access. The next step as a business owner, is to develop a password policy. The purpose of policy is to inform your employees (and potentially clients) of their expected behavior. If an employee writes down a password and shares it with someone else who’s fault is it? Well, that depends. If you have not trained them it is your fault. Many people simply don’t know better. Typically people want to do the right thing — if you show them how and help them be successful they will.

Your policy should inform your employees of acceptable behavior and provide them with guidelines and recommendations to improve their odds of success. As part of the policy, you should have some form of training during the on boarding process. You also may want to provide recurring training — we could all use a reminder now and then.

Good password policy covers:

  • Acceptable password guidelines (characters, length, etc.)
  • Use of unique passwords
  • Password handling techniques (not sharing passwords, writing them down in unencrypted form — see Tip #3 you may want to allow passwords to be written down and safely stored in a wallet or purse).
  • Disaster recovery techniques — especially for administrative level accounts

The SANS organization has a fairly decent policy template you can use for passwords. http://www.sans.org/security-resources/policies/Password_Policy.pdf. You could use this a starting point and modify to suit your needs.