Q: What are the current industry-standards for IT password policies?

A: The great thing about standards is there are so many to choose from 😉

The industry-standard that most businesses and individuals can pay attention to is the NIST SP-800-171. This details IT security standards for non-federal organizations. This is what federal contractors, health-care providers, law firms, and pretty much everyone else can use to meet compliance.

This document contains over 100 line items regarding IT security, and I won’t attempt to put you to sleep repeating all of them here. The ones relevant to passwords include:

  1. Passwords should be a minimum of 15 characters in length. Note there is no mandate for complexity (mixing upper and lower case, numbers, and special characters). Best to use an easy to remember, easy to enter phrase.
  2. Use a unique password for each service.
  3. Use a secure, encrypted method of storing your passwords. This can be a password manager such as LastPass, or a password-protected spreadsheet.
  4. Do not share your password with anyone. In most cases, this means even your boss.
  5. Use 2-Factor Authentication or Multi-Factor Authentication whenever it is available.
  6. If you suspect someone has gained knowledge of your password, change it immediately.
  7. The debate over how often to change passwords is still raging, but at the moment, there is no NIST standard for doing so. I recommend changing once per year.
  8. Although not a NIST standard, I recommend checking https://haveibeenpwned.com and https://hacked-emails.com monthly to see if any of your accounts has been compromised. If so, immediately change the passwords for those accounts.