Password management complexity requirements can be confusing for IT organizations. There has been a great deal thrown out about the best practices for password complexity over the years, but some of the data is conflicting. That leaves admins with questions:
Q: Is it better to just have long passwords rather than complex ones?
Q: Should passwords be rotated? If so, how often? And how many of the previous passwords should be off limits?
Q: What if our organizations leverages multi-factor authentication? Then does it really matter what the password is?
We’ve got answers to these questions and more below. While no password management policy is a panacea, there are a number of best practices steps that you can take within your organization.
Let’s dive in!
Guiding Principles of Password Management
There are some key principles that we’d suggest that you take for password management and complexity requirements. These principles are highlighted below, after which we highlight the state of the art in password policies.
Longer is Better
STAT: a computer can now crack an eight-character password in 5.5 hours. [Halock]
Over the last few years there has been a shift in thinking. Complex passwords were first viewed as being more powerful. Now, the view is that length matters more. Of course, the ideal is to combine complex with length. When we say length is important, we are talking about passwords that are 18 characters and greater.
Unfortunately, not all systems can take an 18 character password (including Office 365). However, where possible, longer passwords are better than short, complex ones.
Randomly Generated is Better than User Generated
Password managers have started to change the thinking about passwords. The idea has become to leverage long, complex passwords that are automatically input into the form on behalf of the user. The user only needs to remember the password to the password manager rather than each one. While this doesn’t solve the problem for users that have to access physical systems where password managers can’t help, it does create better results for web applications.
Password Rotation is Less Valuable than Unique Passwords
STAT: 73% of users have the same password for multiple sites. One third always use the same password. [Digicert]
Historically the view was that passwords should be rotated often and this was likely due to the fact that many users leveraged the same password across all of their IT systems and accounts. A move to having less rotation, but having each account be unique has created a stronger, more secure user base.
Dictionary Words are Fine if the Password is Long Enough
The common view was that dictionary words could be easily checked within passwords. This is, of course, true for short passwords. Computers are fast enough now to check a wide variety of dictionary words and combinations. A collection of dictionary words – on the order of four or five lengthy words – can be an extremely strong password. Add in a punctuation step in between and you have the makings of a very strong passwords.
For example, “cloud.novella.candlestick.backpack” is a strong password.
Keep User and Personal Information out of the Password
A survey of 2,000 people commissioned by Google reveals the most commonly used types of information included in passwords [Time]:
- Pet’s name
- Significant dates (e.g. wedding anniversary)
- Date of birth of close relation
- Child’s name
- Other family member’s name
- Place of birth
All of this is personal information that can likely be found on your social networks or on public records.
Honestly, including this type of personal info shouldn’t matter if you follow the other best practices listed above. But still, there is absolutely no reason to take chances and include your personal information into your password. Keep the details of your personal life out of your passwords and make sure that your users do the same.
Password Requirements by Regulation
PCI Password Requirements
Perhaps the most prescriptive regulation, PCI mandates that users have at least 7 character passwords that are alphanumeric. This password must be changed every 90 days and the last four passwords cannot be reused. A user attempting to be login must be locked out after 6 attempts and cannot be let back in for at least 30 minutes. There can be no shared credentials.
HIPAA Password Requirements
Unfortunately, HIPAA is far less prescriptive and, in fact, it doesn’t even make suggestions other than to say use common sense. It advises organizations to not enable passwords to be written.
SOX Section 404 Password Requirements
Sarbanes-Oxley Section 404 is similarly vague on the requirements and doesn’t specify what organizations need to do.
DISA STIG Password Requirements
DISA STIG requirements are generally more stringent because they are for the U.S. Department of Defense. But, even still, these requirements are not overly difficult to achieve. The requirements are for at least an 8-character password with upper and lower case letters, numbers, and special characters. Where possible, the DoD is also encouraging longer length passwords with 12 to 14 characters.
The Final Word on Regulations
These four different regulations give IT admins something to think about, but they are all generally out-dated and not strong enough.
A Better Password Requirement Checklist
Based on the critical guiding principles for password management that we laid out above. We have determined the following best practices for password complexity:
- Greater than 18 character passwords
- If a very long password isn’t possible or desired, increase the entropy with alphanumerics and special characters
- Each password is unique and cannot be reused
- Where possible, leverage a password manager
- Multi-factor authentication is attached to any account possible, but mandatorily for email accounts
- Lockout users after 5 attempts
These best practices will dramatically increase the strength of your passwords. They will be practically impervious to brute force attacks. More importantly, should a user’s password be hacked on a separate site, it is unlikely to have an impact to your organization.
The Password Manager Imperative
Of course, you may be looking at this checklist thinking that it looks daunting. Indeed, it would be if there weren’t password manager tools built to enable these sorts of regulations. Ultimately, we strongly encourage you to implement a password manager in order to streamline the implementation of these policies.
In our review of the top time-saving tools for IT admins, we highlighted both KeePass and LastPass. KeePass is a more stripped-down, lightweight password manager with a 5 Star rating on SourceForge. LastPass includes a very useful Security Challenge, which reveals holes in passwords and how to fix them. Either can help bolster your password security and make proper password hygiene a lot easier for your users.
JumpCloud Can Improve Your Password Security
Passwords are serious business. Identity theft is all-too-common in organizations today. Countless companies have been breached because of poor passwords and users themselves have suffered significant consequences. Don’t let this happen to you and your organization!
If you would like to discuss more about these regulations and best practices for password management complexity requirements, drop us a note. Or, feel free to check out our Directory-as-a-Service® platform’s password complexity builder to see how you can implement these best practices across your systems, applications, and networks.
We also encourage you to check out our The 2016 IT Guide to Identity Management available for free online [link]. This PDF lays out the new Identity and Access Management landscape, along with the biggest challenges and the most effective solutions.