Passwords in Compliance Standards

Compliance standards have similar goals (PCI – HIPAA – SOX  – e-discovery)  and  the question is what should your password policy be to fulfill compliance and your own security risk profile.

images from PCI standards doc, Adobe images site(HIPAA), Forbes (SOX), and (ediscovery)

How many characters? Should there be special characters besides alphanumeric? Capital requirement?

And most important how often should the password need to be changed?

The key is to change the password every so often since one can be susceptible to mass password attack.

Consider the large hacks¹ that were successful  and documented (on this site as well) like OPM (Office of Personnel Management).

If you “ever” applied or worked with the government and attempted to log on to government computers your username and password combination is now in the hacker’s databases.


So there is not just a “do it for compliance” standard but to ensure that only you know the password – and not the hackers around the world selling your credentials to highest bidder (Darknet)

THUS – WE HAVE TO change the passwords even though most users do not want to. Even if it is 2x per year.  To create as low as possible tech support challenges password changes need to be done in a manner that is capable with the amount of users and tech support personnel.

For PCI the emphasis is on changing default passwords(section 2.1) which is kind of a no brainer in the cyber security industry, but what about setting up  the password? Is there a suggestion?


The recommendation is for screen savers (re-authenticate after 15 min of idle station) and in section 8.2  the guidance section has the information:

“Since one of the first steps a malicious individual will
take to compromise a system is to exploit weak or
nonexistent passwords, it is important to implement
good processes for authentication management.”

So there are no specific requirements but a suggestion to make it “with a good process and not weak”.

So what does the industry say for password strength?


The above image is a staple for people discussing this topic, even if you don’t agree you have to be aware of it. Randall Munroe made the cartoon image above and others at  xkcd   and will be forever immortalized within the IT industry.

There are others out there  which reject this method – i.e. making easy to remember “looong” passwords i.e. 27 digits of 4 words.


For example: Diagomonica discusses password managers, which works for single desktop or laptop usage, but not so much for tablet, phone, desktop, laptop, work desktop and more.

Since I want to veerto the concept of “more” secure than just ‘being compliant’.

Especially since the other standards expect you to keep data only to be seen by the people that are supposed to see it thus authentication is a must and hence passwords.


How about Malwarebytes Labs² –  which has several more tips:

They keep it simple and say the password should be “long” and not written down anywhere, but I think this is the most important bit of information: it does not include personal information (kids names, dogs name, other items from your Facebook account).

MOST important DO NOT reuse passwords on multiple locations (hence the hackers that hack those sites now have access to all of your locations)

Log out of online locations as session cookies can be used to hack the location as well.

I think if we agree the password should be “long” than we need to make it longer than it has been i.e. more than 8 characters. So it should be 12-16 characters and use upper and lower case characters and not necessarily just the first letter is cap.

So you can create a security policy with at least 12 characters upper and lower case characters with at least one number and that would be better than most. Use a password manager at work.


In fact you could have super strong passwords and basic passwords on sites that do not matter as much. As long as you have different passwords on each site (even hundreds) then this method will work.  But in a corporate environment we cannot assume this.

The toughest thing is to have different passwords on all of your locations that you log in as. Since that can easily go to hundreds of sites. Personally I do like to stay off the computer with a select list of 2-3 — that let me get into the password manager and treat these as important papers that go into a safe. Then from there the password can be copied and pasted from the password manager.

In the corporate environment it is important to have more parameters than that. So sticking with a minimum of 12 characters is a start, adding capital and numbers is also good.

What do people use as passwords with no direction?

There are documented cases (the hacks of different places – one is interesting (LinkedIn hack³ in 2012 stole 6.5million accounts)


So if you notice from the list at Leaked Source – 3/4 of a million passwords were ‘123456’  so 11% of all the passwords stolen were that simple. of course the next of the top10 are just as ridiculous.

We must help employees with suggestions and tips, and the hacks – worst case scenarios.

Ensuring that employees have different passwords on all sites is impossible. The only thing one can do is to run basic password cracker software on password files in the network (this has to be done very carefully) and then notify the employees how well they did. You may also want to review passwords for how easy they are to hack. I.e. test the password file with a standard dictionary of passwords. It is amazing how many people will have similar passwords, well in that case a computer hacker can guess your password easily.

Having a good policy is a step in the right direction, but it also must be communicated well.

Fortunately there is a great event that can highlight these points:

October is National Cybersecurity Awareness  Month

Contact me to discuss your security policy and/or to review other tests to your network.