Password complexity requirements can be confusing for IT organizations. There has been a great deal thrown out about the best practices for password complexity over the years, but some of the data is conflicting. That leaves admins with questions:
Q: Is it better to just have long passwords rather than complex ones?
Q: Should passwords be rotated? If so, how often? And how many of the previous passwords should be off limits?
Q: What if our organizations leverages multi-factor authentication? Then does it really matter what the password is?
We’ve got answers to these questions and more below. While no password policy is a panacea, there are a number of best practices your organization can follow to promote better identity security. We also recognize that many organizations already have standards or are required to follow specific approaches based on their compliance requirements.
Let’s dive in!
Guiding Principles of Password Management
There are some key principles that we’d suggest that you consider for password management as guided by NIST 800-63 password requirements. These principles are highlighted below, after which we document some different compliance regulations.
Longer is Better
Over the last few years there has been a shift in thinking, especially with regard to NIST. Complex passwords were first viewed as being more powerful. Now, the view is that length matters more. The key here is that a user has a long password that they can remember. When users find themselves having to juggle multiple passwords with complexity requirements, they tend to pick a simple word or phrase and tack a number and special character onto it. For example: Password123!
Password Rotation is Less Valuable than Unique Passwords
STAT: 73% of users have the same password for multiple sites. One third always use the same password. [Digicert]
Historically the view was that passwords should be rotated often and this was likely due to the fact that many users leveraged the same password across all of their IT systems and accounts. Now, the idea is to change your password when it gets compromised, but if you don’t believe that the password has been hacked, it is fine to keep it. Constantly rotating passwords results in poor password choices. If a user picks a strong, longer password first the hope is that it won’t need to be changed in the first place.
Dictionary Words are Fine if the Password is Long Enough
The common view was that dictionary words could be easily checked within passwords. This is, of course, true for short passwords. Computers are fast enough now to check a wide variety of dictionary words and combinations. A collection of dictionary words – on the order of four or five lengthy words – can be an extremely strong password. Add in a punctuation step in between and you have the makings of a very strong passwords. Or, if you can remember a unique sentence that can also be a very strong, long password.
For example, “cloud.novella.candlestick.backpack” is a strong password. But, be sure to make sure that the password you choose is checked against a known password dictionary. This way, you can ensure that you’re using a unique password.
Keep User and Personal Information out of the Password
A survey of 2,000 people commissioned by Google reveals the most commonly used types of information included in passwords [Time]:
- Pet’s name
- Significant dates (e.g. wedding anniversary)
- Date of birth of close relation
- Child’s name
- Other family member’s name
- Place of birth
All of this is personal information that can likely be found on your social networks or in public records.
Honestly, including this type of personal info shouldn’t matter if you follow the other best practices listed above. But still, there is absolutely no reason to take chances and include your personal information into your password. Keep the details of your personal life out of your passwords and make sure that your users do the same.
Password Requirements by Regulation
PCI Password Requirements
Perhaps the most prescriptive regulation, PCI mandates that users have at least 7 character passwords that are alphanumeric. This password must be changed every 90 days and the last four passwords cannot be reused. A user attempting to be login must be locked out after 6 attempts and cannot be let back in for at least 30 minutes. There can be no shared credentials.
HIPAA Password Requirements
Unfortunately, HIPAA is far less prescriptive and, in fact, it doesn’t even make suggestions other than to say use common sense. It advises organizations to not enable passwords to be written.
SOX Section 404 Password Requirements
Sarbanes-Oxley Section 404 is similarly vague on the requirements and doesn’t specify what organizations need to do.
DISA STIG Password Requirements
DISA STIG requirements are generally more stringent because they are for the U.S. Department of Defense. But, even still, these requirements are not overly difficult to achieve. The minimum requirements are for at a password to be at least 15 characters with upper and lower case letters, numbers, and special characters. When the password is changed, it is a requirement that at least half of the characters in the password change as well.
The Final Word on Regulations
These four different regulations give IT admins something to think about, but they are all generally out-dated and not strong enough.
A Better Password Requirement Checklist
Based on the critical guiding principles for password management that we laid out above. We have determined the following best practices for password complexity:
- Longer passwords that are easy to remember are better than meeting basic complexity requirements
- Check a password dictionary to ensure you’re not using a password that many others use
- Each password is unique and cannot be reused
- Where possible, leverage a password manager
- Multi-factor authentication is attached to any account possible, but mandatorily for email accounts
- Lockout users after 5 attempts
These best practices will dramatically increase the strength of your passwords.
The Password Manager Imperative
Of course, you may be looking at this checklist thinking that it looks daunting. Indeed, it would be if there weren’t password manager tools built to enable these sorts of regulations. Ultimately, we strongly encourage you to implement a password manager in order to streamline the implementation of these policies.
JumpCloud Can Improve Your Password Security
Passwords are serious business. Identity theft is all-too-common in organizations today. Countless companies have been breached because of poor passwords and users themselves have suffered significant consequences. Don’t let this happen to you and your organization.
If you would like to discuss more about these regulations and best practices for password complexity requirements, drop us a note. We also encourage you to check out Why It’s Time to Take Identity Security Seriously.