Password Policy Compliance
New legislation, including General Data Protection Regulation (GDPR), NYDFS Cybersecurity Regulation (23 NYCRR 500) and Cybersecurity Maturity Model Certification (CMMC) has been introduced to help protect consumer and corporate information. Lack of compliance with these regulations and breaches of data can lead to fines of up to €20 million ($22 million) in damages or four per cent of global revenue.
The indirect consequences of a breach in security should also be considered. The direct financial impact and fines from non-compliance are often compounded with the loss of consumer confidence in a company or brand, which could be even more costly.
NIST Password Policy Evolution
Passwords continue to be the foundation of the security profile and will continue to be so for some time to come. Yet password breaches are becoming more and more common despite the layers of firewalls, honey-pots, and detection solutions which get deployed. Adding more complexity to passwords frustrates users, and encourages them to choose the same, or similar, passwords on different websites as well as corporate systems. This means a breach on the web can have immediate and serious consequences for security in the enterprise. The legacy password policy needed to change to keep up with modern threats, which is why NIST published new guidelines in late 2017 for a more appropriate password policy. The highlights included:
- No more enforced composition rules
- No more periodic password expiration
- No more hints
- Minimum length of 8 characters
- No or large maximum length
- Expanded character set, including emoji
- Check against a dictionary of unacceptable and compromised passwords
Getting compliant and staying secure with Authlogics
The Authlogics Password Breach Database is a large and comprehensive compilation of over 4 billion unacceptable and compromised credentials, this includes 1.2 billion unique clear text passwords supporting real-time lookups and data analytics.
Authlogics Password Security Management (PSM) is powered by the Authlogics Password Breach Database to ensure that any password change is checked in real-time. There is no need to install extra software on workstations and all password change attempts are logged centrally for auditing and reporting purposes.
PSM has been specifically designed to meet, and exceed NIST SP 800-63B guidelines for password compliance. It can be deployed in minutes on corporate network servers and enforces a compliant password policy as soon as a user changes their Windows password, without requiring any desktop software.
Authlogics Multi-Factor Authentication (MFA) is a complete and easy to deploy Multi-Factor Authentication, password replacement, and single sign-on solution for on-premises and Cloud Applications. Our rapid deployment and multi-token and tokenless technology approaches have helped customers move beyond passwords to a simpler and more secure environment.
Use PINgrid, PINphrase, PINpass, Biometrics or Yubikey to deliver Single-Factor, Deviceless OTP or Multi-Factor Authentication in multiple combinations to total flexibility.
What changes do I need to make to my security processes?
Regulations, including GDPR and CMMC, follow some common principles which could also easily apply to best practice when implementing a corporate security policy. The following steps will make you more secure and reduce your risk of being negatively affected by data protection legislation.
1. Determine if the legislation applies to you. If you do business or handle personal information for citizens based in the area affected by the legislation, or work with government and military, then its highly likely that regulations apply to you. Systems that hold personal or financial data are highly likely to be covered by the new guidance.
2. Determine how to apply the legislation. Be aware of all aspects of the legislation, such as any requirement to encrypt certain data and how decryption keys should be stored. GDPR explicitly refers to the principles of “privacy by design” and “privacy by default”. Determine the parties responsible for applying this legislation.
3. Make sure the basics are in place first. Ensure that desktop machines are password-protected and have a good anti-virus package installed. As we saw with the WannaCry incident it is key to ensure they’re up-to-date with the latest Microsoft patches. Ensure your password policy complies with the latest regulations from NIST and that users do not have a password that has been compromised on the web.
4. Augment and improve existing security. In the event of a security breach, it is usually up to the company to prove that modern and all reasonable best practice has been followed. Poor password management makes it easier for attackers. Multi-Factor Authentication further reduces the risks associated with a password-only approach to authentication.
5. Ensure you have robust auditing and accountability. Legislation around data protection, such as GDPR, requires that companies show that they use a framework to continuously monitor compliance, as opposed to a single ‘point in time’ audit process. This turns out to also be a sensible approach to data security. Ensure that your systems can continuously report the status of items such as password compliance and usage of Multi-Factor Authentication.