Secure Password Management
Passwords are the first line of defense. This guide is part of the documentation available in SecBoard. It explains how to create, manage, and protect passwords effectively—strong composition, storage, rotation, and recovery—and how to combine them with policies and access controls. Use SecBoard Cabinet and Study for user and password-policy documentation; use Document Register for policies; and use Framework Compliance to evidence password-related controls where required by your framework.
Why password management matters
Passwords are often the first (and sometimes only) barrier to accounts and data. Weak, reused, or leaked passwords make takeover and lateral movement easier for attackers. Effective password management—strong rules, secure storage, limited sharing, and clear procedures—reduces risk and supports compliance (e.g. PCI DSS, ISO 27001, NBU regulations). Combine passwords with multi-factor authentication (MFA) wherever possible.
Creating strong passwords
Strength comes from length, complexity, and unpredictability. Prefer long passphrases or random strings over short, simple passwords.
Use at least 12 characters for user accounts; 15+ for privileged/admin accounts where required by policy or regulation. Longer is better when the system allows it.
Mix uppercase, lowercase, digits, and symbols if the system supports them. Avoid predictable patterns (e.g. “Password1!”, keyboard walks, personal data). Use a password manager to generate and store random passwords.
Use a different password for each account and system. Reuse (especially for email, admin, or critical systems) multiplies risk if one service is breached.
Password policy essentials
| Area | Recommendations |
|---|---|
| Minimum length | At least 12 characters (15+ for privileged accounts where required). |
| Complexity | Require mix of character types; block common or compromised passwords (e.g. breach lists). |
| Rotation | Change on compromise or suspicion; periodic change (e.g. 90 days) if required by policy/regulation; avoid forcing very frequent change without MFA (can encourage weak passwords). |
| History | Prevent reuse of recent passwords (e.g. last 5–10) to avoid simple alternation. |
| Lockout | Lock or delay after several failed attempts; secure unlock process (e.g. verified identity, not just “forgot password” by email if that account is weak). |
| Storage | Store only salted, strong hashes (e.g. bcrypt, Argon2); never plain text or weakly hashed. Use a reputable password manager for user-held secrets. |
Managing and protecting passwords
- Password managers: Encourage use of a trusted password manager for generating, storing, and filling unique passwords. Reduces reuse and weak choices.
- No sharing: One user, one credential. Shared accounts undermine accountability and make rotation and revocation hard. Use service accounts or delegated access where needed.
- Privileged accounts: Stronger policy (length, complexity, rotation); MFA mandatory; separate accounts for admin vs daily use; monitor and review access (e.g. via SecBoard Cabinet).
- Recovery: Define secure reset and recovery procedures (identity verification, not weak “security questions”). Document in policy; train support staff.
- Compromise: If a password may be compromised, change it immediately and revoke sessions. Check for misuse and report if required (e.g. Incident Register).
How SecBoard modules support secure password management
SecBoard does not store or verify passwords but helps you document policy, assign accountability, and evidence controls.
| SecBoard module | Password management area | How it helps |
|---|---|---|
| Document Register (app_doc) | Policy, procedures | Store and version password policy, acceptable use, and account management procedures. Link to Framework Compliance. Defines requirements for length, complexity, rotation, and recovery. |
| Cabinet (app_cabinet) | Access, accountability | Manage users and groups; enforce one identity per user; support least privilege and access review. Document who has privileged access so password policy (e.g. stronger rules for admins) can be applied. Cabinet Users Guide available. |
| Study / Training (app_study) | Awareness, policy | Deliver training on strong passwords, no reuse, and password managers. Use for awareness and policy acknowledgment. Password validation (e.g. complexity) can support policy where implemented in your apps. |
| Framework Compliance | Evidence | Map password-related controls (e.g. access control, authentication policy) to frameworks (NIST, ISO 27001, PCI DSS). Attach policy and training evidence. Track status for audits. |
| Incident Register (app_incident) | Compromise response | Record suspected or confirmed credential compromise; document response (password change, session revoke, review). Use for incident process and compliance evidence. |
| Access (app_access) | Access control | Manage application access with Cabinet. Supports “who has access” and need-to-know; combine with MFA and password policy at IdP/app level. |
Secure password management and SecBoard
This guide is part of the documentation available in SecBoard. Passwords are the first line of defense. Use Document Register for password and account management policies; use Cabinet and Study to support access accountability and awareness; use Framework Compliance to evidence controls where required. Combine strong password policy with MFA and least privilege for better protection.
Create, manage, and protect passwords effectively—and document your approach in SecBoard so it stays consistent and auditable.
Frequently asked questions
What makes a password strong? — Length (12+ characters, 15+ for privileged where required), mix of character types, uniqueness per account, and no personal or predictable patterns. Use a password manager to generate and store.
How often should passwords be changed? — Change immediately on compromise or suspicion. For periodic rotation, follow your policy or regulation (e.g. 90 days); avoid very frequent forced changes without MFA, as they can encourage weak passwords.
Should we use a password manager? — Yes. A trusted password manager helps users create and store unique, strong passwords and reduces reuse and weak choices. Choose one with strong security and support for your environment.
How does SecBoard help with passwords? — SecBoard does not store passwords. Use Document Register for password policy; Cabinet for user/access accountability; Study for training; Framework Compliance to evidence controls; Incident Register for compromise response.