Enterprise Mobile Device Password Policies - dummies

Enterprise Mobile Device Password Policies

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Just about every mobile device has the ability to set a password that is required to access any of the device’s features, unfortunately this functionality almost always is turned off by default. You must be absolutely certain that everyone who accesses your corporate data with a smartphone has a password set on the device — hopefully one that meets your corporate password policy guidelines.

Here’s a rundown of password policy settings:

  • Password required: This is the first and most obvious setting.

  • Minimum password length: This one is simple. The longer the password, the more difficult it is to crack. Industry best practices typically recommend a minimum password length of 6–8 characters.

  • Password complexity: At its simplest, this means that any password must contain a mix of several different types of characters. For example, an organization’s password policy might dictate that a password must contain a mix of upper- and lowercase letters and at least one number, symbol, or punctuation mark.

    The more of these types of special characters you require, the more difficult the password is to crack, but you also run a higher risk that the user will forget the password and get locked out, or write it down where others can find it.

  • Password aging: Your password policy for your mobile devices should have a password-aging component. This is the length of time between forced changes of a user’s password.

  • Password history: This setting allows you to control the number of new passwords that must be used before a user can begin to reuse prior passwords. Most good password policies require at least four unique passwords before an end user can reuse a prior password.

  • Idle timeout: This setting allow you to specify the amount of time that a device can remain idle, with no user input, before it is locked automatically. A best practice recommendation is to set devices to lock after 5 minutes or fewer of inactivity.

  • Maximum number of incorrect passwords: If someone steals a mobile device that has been locked, they are likely to try getting into that device using brute-force password guessing. A best practice for this policy is to set a maximum of 10 incorrect passwords before the device is remotely wiped.

    Make sure that your end users know that if they type in the incorrect password too many times, their data will be deleted.

    Of course, it’s also a good idea to ensure that you are continually backing up data on the device, just in case it ends up getting wiped.

Beyond settings that you can control via configuration on the devices themselves, any good password policy also has an end-user training and education component. The same must hold true for your mobile device password policy. You should train your end users to follow these guidelines:

  • When creating passwords, never use words found in a dictionary or commonly used words.

    For example, an end user should never use his child’s name or the name of his pet as his password.

  • Never write down your password — anywhere.

  • Never tell anyone your password.

    This is true of the user’s boss, the IT administrator, friends, family, and so on.

  • Never talk about the type of password that you use or the password format.

    Ensure that your end users don’t make it easy for someone to beat your password policies.