Password policy best practices are vital for companies to sufficiently protect private, sensitive, and personal communication and data. System end-users use passwords as a front defensive line to prevent unauthorized users from accessing protected systems and information. As such, proper password policies and rules must be implemented to alleviate security challenges resulting from poor practices and weak passwords. Password policies comprise rules created to enhance computer security in the face of rising cybersecurity challenges. The policies encourage system users to create secure, reliable passwords and store them securely to ensure proper utilization. Every organization is responsible for developing strong password policies, maintaining them, and updating them accordingly.
Importance of Password Best Practices
A recent Verizon Data Breach Investigation Report showed that hackers exploit any opportunity arising from poor password policy best practices. The report confirmed that complex password policies that do more harm than good are the number one cause of cyber-attacks and data breaches. Moreover, stolen credentials (usernames and passwords) and phishing attacks were singled out as the topmost strategies for breaching a protected system.
As if poor password policies are not enough, a 2019 State of Password and Authentication Security Behaviors report revealed interesting statistics concerning employee password protection. It showed that 51% of the involved respondents reuse the same password to secure personal and business accounts. At the same time, 68% of the participants admitted to sharing vital passwords with their colleagues. A more worrying trend is 57% of participants involved in a phishing attack disclosing they don’t adopt more secure password practices. These are alarming statistics that demonstrate why businesses in all industries need to maintain effective password policy best practices.
Current Password Policy Standards
Passwords are supposed to address authentication challenges but have instead become a source causing significant problems. Most users continue creating weak, easy to guess passwords and reuse them across different accounts. On the other hand, password policies evolve as new security demands arise. Experts and regulatory bodies have, therefore, place a lot of emphasis on what constitutes best password practices.
National Institute of Standards and Technology (NIST)
NIST develops and updates information security guidelines and standards for all federal agencies, but organizations in the private sector can also use them. NIST addresses password policy issues in the NIST Special Publication (SP) 800-623B (Digital Identity Guidelines – Authentication and Lifecycle Management). The publication provides an innovative protocol for enhancing password security. For instance, it encourages system users to create an easy to remember but difficult to guess password, otherwise referred to as memorized secrets. The publication also discourages other complex password requirements recommended in the past. The recommended passwords must contain eight or more alphanumeric characters, while system-generated passwords must have a minimum of six characters.
Moreover, the NIST publication recommends users to check passwords against a provided list of passwords deemed to be universal, compromised, or expected before securing their systems. The disallowed passwords upon checking include dictionary words, passwords identified from past breaches, sequential or repetitive passwords (e.g., 1234qwerty), and context-specific terms. Other NIST password policy best practices include:
- Enable the paste functionality on the password entry field to facilitate the utilization of password managers.
- A system should store a salted hash instead of passwords.
- Enable systems to permit users to display passwords when entering them, instead of the more secure dots or asterisks.
- Enabling multi-factor authentication
- Using authenticated protected channels and approved encryption to request memorized secrets.
Department of Homeland Security (DHS) recommendations
The DHS has created a card for creating strong passwords to assist users in protecting systems and information from online threats. The card provides simple guidelines, some of which are similar to NIST password requirements, to help reduce the possibility of a security incident. The tips include:
- Create passwords with more than eight characters.
- Use a passphrase containing a combination of capitalized and small alphabets and punctuation marks.
- Avoid using common words and personal information to create passwords.
- Use unique passwords for different accounts.
Microsoft Recommendations for Password Policy
Microsoft has used intelligence gained in past years to develop recommendations for both end-user password policies and administrator password policies. The information is from tracking threats, such as phishing attacks, bots, trojans, and worms. Microsoft also stresses the essence of focusing on frequent employee training to ascertain all system end-users can identify the latest security risks and apply password policy changes effectively. Microsoft password policy model recommends passwords based on access and identity management that adhere to the following best practices:
- Maintaining passwords with precisely eight characters.
- Users are not obligated to include special characters, such as *&(^%$.
- Periodic password resets should not be enabled in user accounts.
- Educate system users the risks of reusing the same passwords.
- Enforce multi-factor authentication.
Password Policy Best Practices Recommendations
The system administrators in all companies should consider the following suggestions to create a strong password policy:
Insist on Multi-Factor Authentication
Multi-factor authentication (MFA) secures data and information systems by requiring users to provide additional methods for proving their identity and authenticity. It is a highly effective strategy that requires users to input a correct combination of username and password and provide other items as proof of identity. They can include a text code sent to a mobile device or confirming a biometric registered as the extra authentication item. MFA prevents users that lack required access privileges from accessing protected information and IT infrastructure. Also, MFA protects secured items from access through stolen credentials.
Implement a Password Age Policy
It is a policy that indicates the minimum time a password can be used to determine the required length of time for users to change their passwords. A minimum password policy is vital since it prevents system users from reverting to their old passwords after creating a new one. The minimum age password policy should specify a time of three to seven days before prompting users to create new passwords. The policy allows ample time for changing the existing passwords and ensures users cannot switch back to passwords used in the past. System administrators should, however, take into account that passwords can be compromised. A minimum age password policy can prevent users from changing compromised passwords, and admins should be available to make the required changes.
Passphrases provide stringer security compared to single-worded passwords. For instance, consider a sentence like” I Love Spending Time At The Zoo Every Sunday. ” Using the sentence to generate a passphrase like ILSTATZES results in the creation of powerful passwords. Alternatively, using the entire sentence to create a passphrase with a combination of capital and small letters reduces the odds of hacking it. It is easy to remember a passphrase, yet it provides more robust security.
Enforce a Password History Policy
When prompted to create new passwords, most users tend to reuse passwords created in the past. Despite it being an accepted practice, organizations should implement a password history policy that determines how often a user can reuse an old password. A useful password history policy should be enforced to enable a system to remember a minimum of ten previously used passwords. Such a policy prevents users from alternating between common passwords by discouraging the reuse of passwords. Hackers can use tactics like brute-force attacks to compromise systems secured using common passwords. Although some users may workaround a password history policy, implementing a minimum password age policy is a preventative control.
Create Unique Passwords to Protect Different Accounts
Many users often fall into the temptation of using a single password for multiple accounts so as not to forget which password is for which account. Such a practice is dangerous since a malicious individual can break into one account to access all other accounts. A single password for each account increases the defense layer of the protected accounts. It is also vital not to reuse old passwords when securing different systems. Password reuse and applying one password for several accounts simplify a hacker’s ability to compromise information and information systems.
Immediately Reset Passwords no Longer in Use.
Disgruntled employees can turn to be the worst enemy to a business due to insider knowledge. System administrators must hence reset passwords of accounts belonging to employees who no longer work for the company. Motivation factors, such as revenge, monetary gains, and continued access to vital information, can cause ex-employees to use their old passwords and gain access. Companies should empower IT and HR departments to take action immediately an employee leaves the building. They should document the undertaken action in line with the respective password policies.
Always Log Out
Businesses should make it mandatory for employees to log out of their computers once they leave their workstations. Employees must sign out from all accounts that are not in use to prevent insider threats and hackers from accessing confidential information. To ensure everyone adheres to the policy, system administrators should set computers to lock or sign out after a given period when they are not in use. Furthermore, users should revoke permissions granted to third-party applications integrated with the main account. Hackers can attack applications with weaker security to gain access to the main account.
Clean Desk Policy
A Clean desk is among the most effective password policy best practices. A clean desk policy requires users to ascertain their desks and workstations are devoid of physical objects containing sensitive information, such as passwords. Some users prefer writing down passwords in a piece of paper to avoid forgetting them. However, they may end up leaving the same passwords for all and sundry, providing instant access to everyone. To prevent this, users must ensure to clean their desks before leaving.
Secure Emails and Mobile Phones
Malicious actors can use mobile phones and emails to reset the passwords of connected accounts. Most accounts provide a “forgotten password” function that enables users to receive a unique link or code on the specified device or email account to create a new password. Anyone with access to the devices or email accounts can change passwords at will and retain access privileges. Secure ways of protecting the devices include using strong passphrases and biometrics security, such as fingerprints.
Utilize a Password Manager
Password manager tools are increasingly becoming a priority for professionals and businesses. Password manager tools, such as Zoho Vault and Lastpass, are practical for organizing passwords and practicing high password security levels. Using a password manager requires users only to remember a master password to access other passwords stored therein. Password managers are also beneficial since they provide suggestions of strong passwords to secure different accounts and automatically sign in a user. Where possible, creating and automatically saving passwords using a password manager is highly recommended.
Practices to Avoid
Password policy best practices exclude the following methods in regards to password security and management:
- Using Dictionary Words: users must avoid using words found in a dictionary to create a password. Irrespective of whether it is a single word or a combination of words, passwords created using dictionary words are susceptible to dictionary attacks.
- Using Passwords with Personal Names: passwords that reflect personal names or names of a place are weak and insecure. With social media, hackers can scan a target’s social media profile to establish critical personal details like family members’ names and frequented places and use them to hack a password. Also, slight variations of personal information do little to enhance password security since cyber adversaries can patiently try all letter and word combinations to determine the correct password.
- Reusing Passwords: industry experts cannot stress enough the risks of reusing old passwords in the same or across multiple accounts. Users must create brand new passwords since reusing increases the dangers of malicious actors and insider threats cracking reused passwords.
- Using String-Based Letters: users can be sure that any letter strings in a keyboard, say qwertyuiop or mnbvcxz, are already in a password dictionary. String-based letters are easy and simple to crack.
- Sharing Passwords: users should desist from sharing their passwords with other colleagues. Not only can the passwords be misused, but cyber actors can also intercept them if shared through insecure channels.
I am a cyber security professional with a passion for delivering proactive strategies for day to day operational challenges. I am excited to be working with leading cyber security teams and professionals on projects that involve machine learning & AI solutions to solve the cyberspace menace and cut through inefficiency that plague today’s business environments.