Layer7 Access Management

Expand all | Collapse all

What are some best practices suggested for Password Rotation

  • 1.  What are some best practices suggested for Password Rotation

    Posted 01-18-2017 11:36 AM

    What are some documented best practices for password rotation.  Is there a whitepaper or published brief to support this best practice



  • 2.  Re: What are some best practices suggested for Password Rotation

    Posted 01-22-2017 07:37 PM

    Hi,

    What CA product are you referring to? I think there's different based on what product you are using.

     

    Regards,

    Kar Meng



  • 3.  Re: What are some best practices suggested for Password Rotation

    Posted 01-23-2017 04:08 PM

    There is no right answer to this question.  

     

    BEST:

    • Randomly generated
    • mix of Alphabet, numbers, characters, mixed case
    • very, very long
    • Changed very frequently

     

    WORST

    • No password
    • password never changes
    • password is easily remembered (name, address, etc)

     

    Best is not always functional.  Worst is insecure.  Somewhere in-between the organization decides what best meets it's needs.  

     

    Length: How long is too long or too short?

    Retention:  How frequent is too frequent, or not frequent enough?

    Complexity: How complex should it be?

    Black Lists: What words or combination or words should be disallowed.

     

    Passwords which are too complex and change too frequently may cause an increase in lockouts, resets, and possibly calls to the helpdesk.  Too simply or change to infrequently could pose a security risk.  CA Siteminder/Single Sign On will allow you to tune your Password Policies to meet the needs of your organization.

     

    Suggestions:

     

    • Password uses a combination of alpha-numeric, upper case and lower case, and symbols
    • Don't use First or Last Names or yourself, family or friends
    • Don't use company names, product names, or network names
    • Don't use public information about yourself such as hobbies, sports, etc.
    • Don't use keyboard patterns (e.g. QWERTY, qweasd, 12345, etc)
    • Don't append an existing passwords with ever increasing integers.  (R0man117, R0man18, R0man19, etc)
    • Don't use words that can be found in the dictionary