Password Policy Guidelines

Creating strong passwords and corporate policies surrounding them have been under debate the past few years. When passwords were originally implemented, it was simply using something someone else wouldn’t easily guess. However, computers are constantly increasing in sophistication and power and can easily crack simple passwords.

To combat this, we have adjusted requirements for passwords: first in length, then in complexity, and then in frequency of changing it. Most users still today work around this by adding numbers or characters after basic passwords, like P@ssw0rd1 changing to P@ssw0rd12.

This has its own weakness, though, because once cracked, any human can look and make assumptions about what it might be changed to next. Modern GPU-based password crackers can break eight-character passwords in seconds, and 12-character passwords in minutes, so changing or updating short passwords doesn’t necessarily stymie someone for very long.

This leads to two newer trends in passwords: long passwords and multi-factor authentication.

Long Passwords: The Industry Recommendation

https://xkcd.com/936/

This xkcd comic explains it pretty well. It’s much stronger to string several random words together, and pairing it with multi-factor authentication (which we’ll get to later) is a great way to go.

The National Institute for Standards and Technology (NIST) issued a recommendation for changing passwords in this manner. Microsoft, along with many other governing bodies in countries like the UK are also making these same recommendations to use longer passwords without expiration.

Keeping some complexity requirements is even better, since information security experts believe it’s still too easy to bypass this since the long phrase password is all lower-case words without any numbers or symbols. There are tricks to pull the hash of multiple separate words, put them together, and get the longer hash. To combat this, users can make simple changes to add more complexity, like using random capitalized letters or inserting numbers and symbols: “correcThors*6atterystaple”.

It’s not too difficult to remember “correcThors*6atterystaple” after a few uses and there are only three changes, but now common patterns won’t be recognized. By not capitalizing the first letter in any of the words and choosing a random letter throws off an easy guessing technique. Breaking up a word by replacing a letter with a symbol will also help. A password like this is complex enough to be very difficult for a computer to crack and therefore basically eliminates the need to change it.

There are other benefits to non-expiring passwords. For starters, it’s easier for a user to make a complex password if they know they’re never going to have to change it, and they will be able to commit it to memory and avoid writing it down. IT staff won’t have to deal with as many lockouts or password resets. This also will play a key role in terms of recognizing phishing attempts since reset requests will be far and few between.

Top it off with multifactor authentication (MFA) and you’ve got a winning strategy.

MFA All Day

Of course, if you have a need for REAL security, there’s not really a choice in modern times except for using multi-factor authentication (MFA). MFA relies on at least two (of the three) things to authenticate a user:  something you have (such as a hard token, a soft token, a ID card, etc.), something you are (fingerprint, retinal scan, etc.), and something you know (password, passphrase). This combination of requirements makes it MUCH more difficult for accounts to be compromised.

For example, let’s say end user Suzy ignores all training and puts a post-it note with her password on the bottom of her keyboard. Unless that she also leaves her finger or eye behind, there’s no way for someone else to unlock her account. Similarly, if Suzy left her token out on her desk for someone to steal, her strong password is still securely in her head.

This isn’t to say that simply using the “something you are” biometric-type authentication will negate the need for passwords all together (most smartphones use both a pin or password and a fingerprint). Retinal scanning and facial recognition on consumer equipment is still very primitive. Even “tried and true” biometric technology such as fingerprint scanners can be beaten given a little effort. Simply adding a second layer of verification means that even if someone prints out a picture of you for facial recognition, or lifts your fingerprint, they still also have to get the password right to truly get into your accounts. MFA isn’t doubling the complexity of breaking into accounts — it’s increasing it exponentially.

So, what’s the takeaway?

  1. Use long passwords. You don’t have to enforce any complexity requirements, but it’s not a bad idea. Train users on what is good and what is bad complexity.
  2. Set your passwords to never expire. This trains people that they can use more complex passwords without fear of constantly having to change it. It makes IT less likely to fall for the social engineering trick of asking to change it, too.
  3. Use MFA if you can – it adds so much more security to a system.

If you have questions about setting appropriate policies or want some guidance on a multi-factor authentication tool, send us an email or give us a call at 502-240-0404!