Passwords are digital locks protecting our critical data, applications, services, and systems. However, as any sensitive data, passwords need to be managed, used, and stored properly.
Having a well-thought-through, strong password policy in place is a great way to ensure proper management of passwords in your organization. So let’s see how you can build one and what secrets management best practices can help you get the most out of your password security strategy.
Password policy basics
Statistics show that people often violate the most basic rules of password security. For example, the 2019 State of Password and Authentication Security Behaviors report by the Ponemon Institute highlights that:
- 69% of respondents share their credentials with colleagues
- for 57% of people, suffering from a phishing attack did nothing to the way they handle passwords
Meanwhile, hackers don’t hesitate to use such negligence to their benefit. The list of the most common techniques used for compromising passwords includes:
- Dictionary attacks – Attackers configure special software to hack the victim’s password by putting common words into the password field.
- Password guessing – Hackers check the most common, simple passwords like “password,” or “123123” to see if they can get into the target system.
- Social engineering – Using scamming techniques, hackers trick their victims into disclosing their credentials.
- Secret question compromise – Hackers break into a victim account by guessing or figuring out the answer to their secret question.
According to the Verizon 2019 Data Breach Investigations Report, phishing and credential compromise are the two most popular attack techniques used by hackers.
The good news is that you can address most of these risks in your organization’s password policy and requirements, thus reducing the risk of a data breach.
A password policy is a set of strict rules, tools, and practices that an enterprise can use to ensure secure and effective management of authorization data. Following best practices for password security can bring your business multiple benefits:
- Lower the risk of data loss and data breaches due to credentials compromise
- Make password management easy and transparent
- Set clear, specific rules and requirements for password use and storing
- Evaluate the effectiveness of the used tools and approaches
- Ease compliance with password security standards and regulations
Now, let’s take a look at the five useful recommendations for strong password policies that can help you prevent credential compromise and ensure proper management of authentication data.
5 best practices for building a password policy
Several world-renowned organizations, including the National Institute of Standards and Technology (NIST), Microsoft, and the US Department of Homeland Security (DHS) provide their own guidelines for ensuring password security. The practices listed below summarize these recommendations and turn them into easy-to-implement steps.
In total, we outlined five key password policy recommendations:
- Choose strength over complexity
- Don’t make password rotation mandatory
- Restrict password reuse
- Store passwords securely
- Deploy advanced cybersecurity measures
Let’s look closer at each of these practices.
1. Choose strength over complexity
For a while, using a complex password – the one with special characters and capitalized letters in it – was considered to be the most secure approach. But times have changed and you’d better care about the password’s strength rather than its complexity.
A password’s strength depends on three characteristics:
- Complexity
- Length
- Unpredictability
Therefore, a strong password is the one that is complex, long, and hard to guess.
Here are some recommendations to add to your password security policy for leveling up the strength of your passwords:
- Set minimum password length – NIST and Microsoft suggest forbidding the use of passwords that are shorter than 8 symbols.
- Forget the special characters – Passwords with special symbols in it aren’t easy to remember or to use. And, unfortunately, they didn’t prove to be much secure either. That’s why, NIST no longer recommends enriching your passwords with special characters.
- Use passphrases instead – Combining several words into one passphrase is a great way to come up with a strong password. NIST SP 800-63 specifies, that while being easy to remember, long passphrases are very hard to crack. And the National Cyber Security Centre in the UK recommends composing a password out of at least three random words.
- Allow long passwords – Don’t set too strict limits for the maximum password length, especially if you’re going to encourage your employees to use passphrases instead of passwords. NIST suggests setting the upper limit for password length not less than 64 characters.
- Ban common passwords – Microsoft recommends restricting the use of any widely used passwords, like “password1” or “qwerty.”
2. Don’t make password rotation mandatory
Managing password aging is tricky. You need to make sure that a password won’t be changed too early or too late. Otherwise, your employees will constantly reverse to using their old, familiar passwords they love so much.
Previously, most authentication security standards recommended:
- Setting the minimum age of a password from three to seven days
- Setting the maximum age of a password anywhere from three to six months
However, NIST recently updated their recommendations regarding mandatory password rotations. Current password policy best practices by NIST don’t require changing passwords every three months if there weren’t any data breaches in your company.
Password rotation remains obligatory only for the cases where there’s evidence that the authenticator was compromised.
As for the minimum age, there’s a better way to prevent your employees from sticking to their favorite passwords.
3. Restrict password reuse
According to the Ponemon Institute, more than half of people use a single password for multiple accounts, both personal and corporate. But if at least one of these accounts gets compromised, it’s only a matter of time before an attacker will get a hold of all other accounts locked with the same password.
Here’s what you can do about it:
- Enforce password history so that the repeated use of a password can be detected
- Prohibiting the use of at least five previous passwords
4. Store passwords securely
While keeping track of passwords is helpful, especially for detecting their reuse, security always comes first. That’s why ensuring secure storage of all passwords in your network is a must.
Consider adding the following two rules to your password policy:
1. Use password managers. Deploying a privileged access management solution with password management functionality can help you kill two birds with one stone. First, such tools make it easier to work with complex, long passwords, as a user don’t actually need to remember all of them. Secondly, such tools not only manage critical credentials but also store them securely in password vaults.
2. Encrypt passwords. To make it even harder to the attackers to compromise your passwords, consider using encryption for password when at rest and in transit. Some password management tools and identity and access management solutions offer such functionality.
5. Deploy advanced cybersecurity measures
Meeting basic password security requirements isn’t enough if you want to be 100% sure that your system is well protected. For example, additional layers of protection are necessary for securing privileged accounts with elevated access permissions. That’s why you need to consider adding multi-factor authentication (MFA) to your password policy as an additional security measure. Besides, implementing MFA is strongly advised by both Microsoft and NIST.
Traditional authentication methods only require a user to input their login and password. Adding one more factor for confirming the identity of a user logging in is a great way to prevent attacker from intruding your system. MFA solutions enhance standard authentication process with a second identity-checking factor: a confirmed mobile device or a user’s biometrics.
In other words, rather than securing the password itself, this technology ensures better protection of the asset protected with this password.
Conclusion
Password policy is a necessary tool for ensuring secure and effective use, storage, and management of user credentials. Such a document should be composed based on the requirements of common security standards, such as NIST SP 800-63 or DHS recommendations.
By implementing the above listed best practices and tips for implementing a password policy, you can improve the effectiveness of credential management in your organization while keeping it easy and transparent.
