Password Policy Best Practices

May 5, 2022

World Password Day is Thursday, May 5, which is a good reminder that strong password policies are crucially important to a sound cybersecurity practice. Password guessing based on publicly available information is one of the most common tactics of malicious actors. Weak passwords also remain a top cause of data breaches for organizations of all types and sizes.

As a Network Administrator, you may already be in the spring cleaning mood and ready to re-examine your current policies for areas of improvement. Here are some best practices we recommend:

Enforce High-Complexity Passwords

To simulate the methods of real-world malicious actors, our assessment team has hardware that generates 15-20 billion passwords per second. That means we can try every password 8 characters or shorter in minutes, and passwords 9 characters or shorter in about four hours. Additionally, attackers have password dictionaries and guessing logic at their disposal. Our team’s list of 1.2 billion common passwords cracks about 20% of stolen password hashes in less than a second.

For effective passwords today, length is king. We suggest enforcing password requirements with 15-character minimums, which we’ve found to be even more effective than password complexity.

That said, complexity requirements like minimum numbers of symbols, digits, and capital letters can only help make your users’ passwords tougher to guess. One easy trick for coming up with high-complexity passwords that effectively thwart guessing tools is making acronyms out of sentences that have meaning to the user and are not easily guessed. For example, “my daughter was born on a Thursday at 11 pm at Peter Lougheed Hospital” equates to mdwboaT@11pm@PLH.

Require Passwords to be Changed Regularly

This rule always makes end-users roll their eyes, but here’s one bit of good news: if you have high length and complexity requirements, the intervals between password changes do not need to be frequent.

In fact, we now recommend a one-year interval for password expiries because studies have shown that more frequent changes wind up encouraging users to choose weaker new passwords. This will be enough to make a moving target out of an already difficult target for attackers to hit based on the length and complexity requirements.

Use Multi-Factor Authentication (MFA)

Is it a bit more time-consuming for users to enter a code texted to their mobile number every time they log in? Yes. Does it pay off when combined with the other two measures listed above? Absolutely. Multi-factor authentication is easy to implement, and while we realize we sound like a broken record whenever we recommend MFA to any organization not using it, iON will always advocate for this measure because it works very well.

For organizations with multiple products and platforms that require authentication, you can make life easier by implementing a Single-Sign-On (SSO) solution. These tools let your users synchronize passwords between devices by letting them use one password as a key for high-complexity passwords that the tool automatically generates and stores. Most every SSO tool incorporates multi-factor authentication, making MFA much more tolerable when there is only one accompanying password to go with it. The multiple passwords they store fill password fields automatically and typically support multiple operating systems, browsers, and mobile device platforms.

While SSO may sound inherently less secure because it makes for only one password to remember, it isn’t, because these tools use strong encryption whenever transmitting that single password.

To Sum Up…

With just these above measures in place, you’ll be addressing the vast majority of security risks associated with weak password policies.

Happy World Password Day, everybody!