Article posted courtesy of : Thycotic 1. Take the human element out of the equation whenever you can – Use a password manager that doesn’t require a user to remember their password to login to sensitive systems. 2. Remove unnecessary password rotations – I’m going to have to side with the NIST’s proposed password security policy changes coming up on this one. Your organization should practice strong password policy, but forcing a user to pick a new password themselves leads to things like patterns in passwords. Now, if you have a password manager, then automatic rotation is just fine, because there is no downside to this practice when a piece of software is handling it.3. Be careful with overly complex requirements – Remember, the harder you make something to remember, the faster your employees will make shortcuts to remember those passwords. If your password policy requires a capital letter, lower case letter, special character, a number, no two consecutive letters or numbers, and 12 characters long – there is no way I’m going to remember that password. Never. Ever.4. Two Factor Authentication – Two Factor Authentication (2FA) needs to become a mandatory requirement in anything that requires a password, with an alerting system when a password is attempted without 2FA (early signs of password compromise). Personally, I’ve had numerous accounts saved from breach due to 2FA. There aren’t too many ways to get around this one for attackers. And honestly, their time is better spent trying to go after accounts that don’t have 2FA.5. Don’t think like an Admin – What will the average employee do? Yes, they should protect their passwords. Yes, they should be all unique. Yes, they should make them hard to guess.Do you have a watertight enterprise password policy in place?Check out this free privileged password policy template. You can customize it to suit your organization.Check out a great template here!