There are two reasonable approaches for password policies for most organizations. Coalition recommends (1) below but as long as an organization picks a policy and works to enforce it, the organization will benefit.
(Note: since June 2017, it’s no longer best practice to require arbitrary password changes, per the National Institute of Standards and Technology, a division of the US Department of Commerce.)
- Stronger passwords that change less frequently (example: 15+ character passphrases that change annually)
- Weaker passwords that change more frequently (example: 8+ character passwords that change quarterly)
Default or vendor supplied passwords should never be used for software or hardware devices. Always change these passwords immediately to something more secure, following your organization’s policy.
Set your organizational policy (in writing) to require strong authentication for remote access to sensitive information, which might include email. Strong authentication means at least sufficient password strength but Coalition also recommends Multi-Factor Authentication wherever possible.
As always, Coalition is here to help you on your way. Please reach out to us for additional information!