Technology Encyclopedia Home >How to formulate a password policy to fix weak password vulnerabilities?

How to formulate a password policy to fix weak password vulnerabilities?

Created on 2025-09-02 18:41:17
40

To formulate a password policy that effectively addresses weak password vulnerabilities, follow these key steps and best practices:

1. Define Minimum Password Requirements

Enforce strong password composition rules to prevent easily guessable or common passwords.

  • Minimum length: Require at least 12–16 characters (longer passwords are harder to crack).
  • Complexity: Mandate a mix of uppercase, lowercase, numbers, and special characters (e.g., P@ssw0rd$2024).
  • Avoid common passwords: Block dictionary words, sequential patterns (e.g., 123456), and breached passwords (use a breached password checklist).

Example Policy:
"Passwords must be 14+ characters long, include uppercase, lowercase, numbers, and symbols, and cannot match known compromised passwords."

2. Implement Multi-Factor Authentication (MFA)

Even strong passwords can be stolen. MFA adds an extra layer (e.g., SMS code, authenticator app, or hardware token) to verify identity.

Example:
"Users must enable MFA via an authenticator app (like Google Authenticator or Tencent Cloud SMS Verification) for all admin accounts."

3. Enforce Regular Password Changes (With Caution)

While frequent changes can lead to weaker variations (e.g., Password1Password2), require updates if:

  • A breach is detected.
  • The password is older than 90 days (for high-risk systems).

Example:
"Passwords expire every 90 days, but users are not forced to change unless a vulnerability is found."

4. Prevent Password Reuse

Block users from reusing their last 5–10 passwords to avoid recycling weak credentials.

Example:
"Users cannot reuse any of their previous 8 passwords when updating."

5. Use Password Hashing & Encryption

Store passwords securely using strong hashing algorithms (e.g., bcrypt, Argon2, or PBKDF2) with salting to prevent leaks.

Example:
"All user passwords are hashed using bcrypt with a unique salt per account."

6. Educate Users on Password Security

Train employees/customers to:

  • Avoid sharing passwords.
  • Use password managers (e.g., Tencent Cloud Password Manager or third-party tools) to generate/store complex passwords.
  • Recognize phishing attempts.

Example:
"Employees must use a password manager to create unique credentials for each service."

7. Monitor & Audit Password Usage

  • Log failed login attempts.
  • Detect brute-force attacks.
  • Use AI-based anomaly detection (e.g., Tencent Cloud Security products) to identify suspicious behavior.

Example:
"The system locks accounts after 5 failed login attempts and alerts admins of unusual access patterns."

Recommended Tencent Cloud Services for Enhanced Security

  • Tencent Cloud CAM (Cloud Access Management): Enforces role-based access control (RBAC) to limit password-related risks.
  • Tencent Cloud Secrets Manager: Securely stores and rotates credentials.
  • Tencent Cloud WAF (Web Application Firewall): Blocks brute-force and credential-stuffing attacks.

By implementing these measures, you significantly reduce the risk of weak password vulnerabilities.