Modern guidance on password policies

You may be sick of hearing about passwords as they pertain to cybersecurity – but hear me out. Like any other part of your business, your password policies need to adapt and change to meet the demands of current threats. It’s great to have one in place, but it’s better to have one that has been recently reviewed and takes your entire security strategy into consideration. Here’s some up to date guidance on creating and maintaining password policies for your organization.

Why are password policies so confusing?

Let’s start with a comparison we can all relate to – dietary guidelines and fitness recommendations. At various times throughout my life, I’ve focused on my health through exercise and eating better (with varying levels of success). Among the myriad of challenges, trying to determine what was okay for me to eat and what I should eliminate to be healthy was confusing. I recall all the talk about eggs in particular – at one point they were no good to eat, and then they were okay again (for what it’s worth, the American Heart Association says they are okay). The same goes for fitness. Should you do cardio? Strength training? Some magical combination of every type of exercise known to man? As confusing as all the conflicting advice may be, there are solid recommendations and bits of wisdom that work. The same can be said for password policies.

The cybersecurity community has created similar confusion when it comes to passwords – namely around the topic of if/how often passwords should be changed. This discussion started a few years back when the National Institute of Standards and Technology (NIST) updated their guidelines and recommended that organizations stop the practice of forcing regular password changes. As a result, software vendors – including stalwart Microsoft – started changing the default settings within their applications away from requiring frequent password changes.

The rationale behind this change was simple. Studies showed that frequent, required password changes were actually weakening password security. Users were creating simpler passwords and in a lot of cases reusing passwords across platforms to make them easier to remember. These two factors – especially password reuse – were making things less safe.

So I don’t need to change my passwords?

And there was much rejoicing! We don’t have to change passwords anymore! Not so fast, unfortunately things are (as usual) a little more complicated than that.

Compliance regulations such as HIPAA and PCI (two of the biggest ones) haven’t evolved yet – both still require “regular” password changes. HIPAA does not mandate a frequency for these changes, but PCI does (every 90 days).

No wonder everyone is confused!

Okay, so what should our password policies include?

I wish it was a straightforward answer, but it isn’t. The challenge is that no two organizations are the same. What works for one company may not work for another.

Here are the considerations that you need to keep in mind when trying to determine your organization’s password policies:

  • What compliance requirements do you fall under? This is, by far, the biggest driver you need to consider. A business that needs to maintain HIPAA, ITAR or PCI compliance – or even following regional compliance guides such as the SHIELD Act – is going to have different challenges.
  • Are you using multi-factor authentication (MFA)? If so, how widespread is the use? Do you have it all on critical systems? MFA helps prevent attacks by combining something you know (a password or pin) with something you have (a device).
  • What minimum password length are you using on your systems? While 8 characters used to be the recommended minimum, going to 12 characters or more is ideal.

Depending on how you answer the questions above will determine what may be the “ideal” for your company and your systems. We have helped folks decrease the frequency of changes by doing a tradeoff – increasing the password length and making sure that MFA is fully in place.

Best practices for your password policies

Keep the following best practices in mind. As I mentioned earlier in the blog, there are pieces of great advice hidden in all the conflicting information. Here are my favorites:

1. Be Alert

Although NIST doesn’t recommend requiring frequent forced password changes, they DO recommend being alert to strange and unwanted account activity. You should change passwords whenever there is a possibility that an account has been compromised. For instance, if you believe that you have experienced a phishing attack or your password has been found on the dark web.

2. Enable MFA

Strong controls should be in place in other parts of the authentication process, such as MFA. Enable MFA on your systems and programs whenever possible. ADNET actually requires that clients have MFA installed before even implementing certain systems and applications. If an attacker manages to steal your credentials, MFA gives you the opportunity to stop them from getting into the system. Without being able to complete verification the attacker will be stuck in limbo. MFA adds an extra layer of security and should be required for any systems with sensitive data.

3. Complexity vs. Security

NIST currently suggests using very long passwords WITHOUT complexity. Complexity requirements have been proven to make passwords extremely difficult to remember. So, what happens when passwords are hard to remember? People tend to write them down or store them in other ways that aren’t secure. Needless to say, that’s not a great solution. The good news is, mathematically it takes much longer to brute force a simple password that is long and unique (i.e. – “I‘m so happy that it’s winter!”) than an 8-character complex password (i.e. – “P@ssW0rD”). Not only are longer, simpler passwords more secure – they’re much easier to remember.

For example, using an offline hash cracker, it would take 18.62 hours to crack “P@ssW0rD” (using a decent GPU guessing 1 billion hashes a second). It would take 24.55 trillion trillion trillion centuries to crack “I’m so happy that it’s winter!” due to the length and almost endless possibilities.

4. Password Management

Consider implementing a password manager at a company level. Ultimately, employees are going to store passwords somewhere. From Post-It notes to Excel spreadsheets, we’ve seen it all. Giving your team members a secure way to store passwords can be a good alternative that lets you choose a system you trust, rather than leaving it to your team to choose. As long as you pick a trusted password management system (some examples of widely used ones are Dashlane and LastPass), and your passwords for those systems are unique and long – it’s a much lower risk. Yes, your password manager could be compromised – anything could. But using long passwords and MFA can help make these applications even more secure.

Learn more about password hygiene here as well.

So what’s next?

While it may seem confusing, these best practices for creating and revising your password policies can help create clarity for your business. Password policies set at a company level are so important. You can’t stop someone from clicking on a bad link (although with security awareness training, your chances of preventing that definitely improve), but you can mandate their passwords meet certain requirements, or that MFA is used for applications. This can help create a culture focused on security in your organization.

Have questions about developing a password policy for your business, or need guidance on cybersecurity? Reach out to us, we’re happy to help.