Password Policy: Issue random generated passwords / Let the user choose a password

Best password policies: Strong, managed, and kept secure.

Strong

  • long(12 or more characters)
  • full character set required(upper, lower, number, symbol)
  • no complete words
  • no personal information if based on a word

managed

  • kept in a secure location in case a lookup is needed
  • changed regularly
  • not the same as the previous pass
  • kept hashed in a database behind a completely random password(of insane strength) or on a non networked database that requires physical secure access

secure

  • recovery happens in person or thorough secure channels
  • passwords are reviewed before changing(either automatic or on a schedule)
  • no user knows another users password(if it's discovered they do and don't have a good reason for it, force a password change)
  • option for 2 factor authentication to make it more secure

these tips are the best for password security and often get used on an enterprise level.

About 2 factor and some problems with it:

Of course that option for 2 factor authentication often gets tossed around as a "Why not just use 2 factor authentication then". Well there's actually a reason for this: you probably should for accounts that deal with sensitive data. Oh wait yeah there's also some pitfalls:

For everyone else this adds a physical layer of authentication that costs money, time, and setup as well as running or hiring a service to generate, and keep the authentication in sync. With networked and off site locations possible, this can run into some problems if not handled correctly, and over time always needs upkeep. Worse yet loss of keygen is a common problem, so backups are needed on site to be handed out, and if on a business trip 2 factor leads to a huge problem if lost. Then there's training them in how to use it, and forcing them to still have secure passwords. This takes a long time to get running(depending on the size of the company, this could actually lead to an entire IT overhaul), and requires training and staff dedicated to just maintaining it.

TL,DR:

Implement secure passwords, and talk to the company about password policy and maintenance. Then offer the option of 2 factor(and force it in some places if needed). Also always review passwords(either manually or through a algorithm) to confirm they aren't easy to crack or contain personally identifiable information. These best practices are enough to keep many companies safe. However never forget that passwords are only 1 part of cyber security.

As for giving out random passwords... well initially this is fine, but eventually the need to be rotated, and if that's the case then you should let them choose so they can remember it easier. If they can't remember it they will keep failing to login, IT load will increase due to forgotten passwords, and then writing it own on sticky notes and losing them now becomes an attack vector, or keeping them in personal email wit ha weak password, all sort of bad stuff, etc.. It would be better to instruct them in how to create a secure, long, strong, and easily remembered password like the following:

R4nD0ms7@Pl312eM0/312 is a random staple remover. Good luck identifying that at a glance, or cracking it. But wait you've already memorized the base!


On the surface it seems more secure - but I would be concerned that you might run into issues of people writing the random password down on a post-it and slapping it on the wall next to their computer. You can suggest people use a password manager, but at the end of the day 90% of them will just do what they want.

It could also be made less secure based on your delivery method. If you email them their password then that's obviously a problem because then it's floating around in plain text.

Also - everyone in the company might hate you. In my experience people hate auto generated passwords. This isn't really security related but might be worth considering.

In summary - I'm not sure it's a black and white answer. The passwords themselves will probably be more secure but there are the other issues I mentioned to consider.