How to Make Your Passwords Pass Audits

Control of the Week #7: Password Control

This week’s control is on passwords. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why user password control is important and how you can implement it for your audits.

Why this control is important

AC5.0 User Passwords Applications: Unique user IDs and passwords are required in order to gain access to the application production environment. The following password policies are enforced globally for user accounts:

  • Minimum password length: 8 characters
  • Password complexity: Enabled
  • Lockout attempts: 5-10 attempts
  • Lockout duration: 60 minutes
  • Multi-Factor Authentication

Passwords are linked to many controls (especially for SOC 2) and all access controls (e.g. user access review) lose their effectiveness when passwords are weak. And, you always have to consider different risk aspects (e.g. remote access, admin access) and have different password policies for each kind of access.

How to implement this control for your audits

This control is straightforward since auditors spell out exactly what they’re looking for above. And, here are best practices to make your org more secure (and boost your chances of passing!):

  • Conduct a risk assessment: know what you are protecting and be able to defend it.
  • Hash your passwords: common sense recommendation, but if common sense were so common, wouldn’t everyone have it? In all seriousness, not hashing passwords happens more often than you think.
  • Passwords for administrators: don’t share passwords – use a password manager like 1Password or Dashlane instead.
  • Passwords for your customers: allow your customers to decide what’s best for them via user entity controls (controls that your customers have to have in place in order to meet the basic security requirements)

As always, give us a shout if you have any questions about the controls and how to implement them.