Expanding our global footprint with Ian Thornton Trump as our first CISO in the UK LEARN MORE >

Services

We’re a selected team of skilled cybersecurity professionals who work as an extension of your IT staff, as well as best-in-class technology to add an additional layer of protection to your organization.

View our Managed Services
Ask About Our Outsourced Cybersecurity Program

Our comprehensive outsourced cybersecurity program leverages advanced technology and expert professionals to enhance your security without the need for in-house capabilities.
 

Learn more

Partners

We collaborate with best in the business to ensure our customers receive the highest levels of care and support. These trusted relationships allow us to better serve and educate our customers.

Regional Partner of the Year Award

Partner of the Year Award

Why Inversion6

With an abundance of solutions and providers, the task of choosing the right option is critical and can sometimes be overwhelming.

industry validation

"Thanks to Inversion6, we now have an established protocol and response procedure whenever incidents are detected. Now, we are able to act immediately to prevent a security event from becoming a larger incident."

Read Full Story

Resources

Our experts are thought leaders in the cybersecurity space. From blogs to publications and webinars, check out these resources to learn more about what’s trending in our industry and how you can stay ahead.

Why Cybersecurity Should Be Driving Your Enterprise Risk Management Strategy

By Christopher Prewitt

Read Article
Latest Inversion6 Press

CISO Craig Burland’s latest byline in Cyber Defense Magazine discusses the importance of accountability in cybersecurity.

View Story
August 26, 2019
By: Inversion6

3 Password Policy Best Practice Solutions You Need Right Now

Is your organization upholding password policy best practices? Here are three you can implement right away to keep your organization and users safe.


14 Characters Are No Longer Enough

Microsoft has been building productivity platforms that have powered the world for decades. With more than 180 million users, Office 365 continues to grow — particularly as support for on-premises servers and other technology and a greater emphasis on Cloud-based services. While impressive, this growth has naturally made their platforms the natural target for cybercriminals. And because so many organizations rely on Office 365 and other Microsoft services as part of their technological infrastructure, this naturally makes those organizations at risk of breaches and other cybersecurity issues.

Currently, Windows’ minimum password character length is around 14 characters, though companies can set it lower. (This is not recommended — even the minimum of 8 characters that Microsoft suggests to strike a balance between security and memorability isn’t strong enough an argument in our opinion.) Even if your organization observes this 14-character minimum, it’s important to understand that this is no longer enough. To many, 14 characters might appear to be more than enough — potentially even bordering on too much.

However, simply search “breach,” and you’ll quickly realize that passwords are frequently on both ends of whichever scenario you find: often they’re the source of the attack, and almost always they’re part of the plunder. More than ever, this means that passwords must be given even greater attention — going beyond simply making them more complex. We must take more advanced and even unpredictable actions to ensure passwords remain safe.

Let’s take a look at a few password policy best practices to help strengthen your organization’s identity-based security.

1. Use Passphrases — Not Passwords

Another password policy best practice is the use of passphrases rather than passwords. They might sound the same, but passwords and passphrases are actually different. Passwords consist of letters, numbers, and symbols combined. They can be fairly easy to remember, like Ex4mp13Pa55w0rD — or not, like ijb9v(*H*08iwn4e9sd. The issue here is that most passwords are easily cracked, are already present in databases containing previously cracked or stolen passwords, or can become so complex that there’s no hope of remembering them. (Side note: If it has to be a password, use a vault, too. More on this shortly.)

Passphrases, on the other hand, can include spaces. This means users don’t have to choose the lesser of two evils: 1) a weak, memorable password or 2) an insanely complex string of characters, numbers, and symbols. Instead, the use of longer, multi-word phrases (which can include numbers and symbols) opens the door for even stronger security. An example of a passphrase might be Nothing will work in 2019 unless you do!. Upper- and lower-case letters, numbers, symbols, and spaces are all used — making the phrase incredibly secure, difficult to crack, and longer than the 14-character minimum.

2. Vault Your Passwords

While passphrases can be easier to remember since they’re often sayings or phrases users are familiar with, remember that one of the most important password policy best practices is that no two passwords (or passphrases) should be the same. This means, despite their ease, it’s still going to be difficult for users to remember multiple passphrases. Minor changes between them (such as 2020 instead of 2019 in the example above) won’t cut it. A password vault system will be incredibly helpful for your users, to say nothing of its obvious security benefits.

But we need to go a step further here, too, because simply vaulting the passwords doesn’t mean they’re safe. The vault itself must be kept safe, too. We recently covered password policy best practices when it comes to your organization’s administrators, particularly the practice of rotating passwords between admins. Because the administrators’ passwords will already be secured, they don’t necessarily need to know that their password is changing every few weeks, days, or even hours. However, password rotation ensures that administrators are still able to use your enterprise tools and platforms while having their credentials updated securely.

3. Check for Bad Passwords (Frequently)

If you’re not rotating administrator accounts (and even if you are), consider doing a password crack on your next penetration test. The goal here is to check for password re-use. To do this, you’ll need to match the hash used. Hashes are unreadable character strings that are intended to be one-way, meaning a password is converted into these characters but cannot be converted back. Some hashes are easier to crack than others, but by matching them, you’ll be able to tell if employees are re-using their passwords.

If your penetration test shows this to be the case, a password policy best practice is to blacklist those passwords immediately. Users need to be creating and using new passwords on every reset. Password re-use, while helpful for the user, does nothing for your organization’s security. Note that it’s important to do this with respect for your users and to not breach confidentiality. Don’t match the passwords to user accounts (but do feel free to chuckle at the unique passwords you uncover!).

Take Your Password Policy to the Next Level

At Inversion6, our security experts don’t just make recommendations and walk away. Our chief information security officers (CISOs) partner with you from start to finish, developing password policy best practices alongside organizational leaders, educating your entire workforce on their importance, and collaborating with your IT and security teams to ensure those practices are used and enforced at all times. Fill out the form below to learn more about us and how we can help you.
 

Post Written By: Inversion6
Inversion6 and our team of CISOs are experts in information security, storage, and networking solutions. We work alongside your team to implement technology solutions that are smart, flexible, and customized to fit your needs.

Related Blog Posts

Let's TALK

Our team of experts in information security, storage, and networking works alongside your team to implement technology solutions that are smart, flexible, and customized to fit your needs. Ready to learn how we can help strengthen your technology environment? Fill out the form below to get started.

TALK TO AN EXPERT