Password complexity requirements can be confusing for IT organizations. There has been a great deal thrown out about the best practices for password management over the years, but some of the data is conflicting. That leaves admins with questions:
Q: Is it better to just have lengthy passwords rather than complex ones?
Q: Should passwords be rotated? If so, how often? And how many of the previous passwords should be off limits?
Q: What if our organization leverages multi-factor authentication (MFA)? Then does it really matter what the password is?
We’ve got answers to these questions and more below. While no password policy is a panacea, there are a number of best practices your organization can follow to promote better identity security. We also recognize that many organizations already have standards or are required to follow specific approaches based on their compliance requirements.
Let’s dive in!
Guiding Principles of Password Management
Longer Is Better
Historically, it was assumed that complex passwords are more secure. However, over the past few years, the thinking around passwords has evolved. Enforcing password length is now considered more important than enforcing password complexity.
When users find themselves juggling multiple passwords with complexity requirements, they tend to pick a simple word or phrase and tack a number and special character onto it. For example: Password123! Longer passwords, on the other hand, are less likely to be compromised because it takes 62 trillion times longer to crack a 12-character password than a six-character one.
Finding the right balance between length and complexity is crucial. Most security professionals advise that passwords should be a minimum of 12 characters in length and include at least numbers and special characters.
Password Rotation is Less Valuable than Unique Passwords
Yes, it’s true that 60% of users reuse passwords across multiple sets of credentials. Since it takes a single data breach to put their entire online presence at risk, it could be argued that passwords should be rotated often.
In practice however, forcing users to change passwords every few months leads to password fatigue. When frequent password rotation is enforced, people are more likely to opt for simple and easy to remember passwords that aren’t secure enough.
The best idea is to require longer and stronger passwords that will be difficult to compromise in the first place, enforce rotation occasionally or in the event of a breach, and then implement policies that prevent the resuse of previous passwords.
Dictionary Words are Fine if the Password is Long Enough
It was actively discouraged to use dictionary words in passwords since they could easily be cracked using a brute force attack, and this still holds true for short passwords. It is possible to use dictionary words to create very strong passwords, all it requires is a bit of diligence.
Use four or five lengthy dictionary words with a mix of other characters to create a strong password. For example, “cloud.novella-candlestick.backpack” is a strong password. But be sure you’re using a unique password by checking it against a known password dictionary first.
You can also leverage dictionary words to create easy-to-remember acronyms. Just take a sentence or, say, the words to a favorite song and then use the first letter of every word to make a random string. “For those about to rock, we salute you” becomes “ftatrwsy”. If you can add in a phrase with numbers, that could be “too good to be true” (2g2bt).
Keep User and Personal Information out of the Password
Social engineering attacks rely on information about the user that can easily be obtained to compromise their identity. That’s one of the reasons why passwords with personal information are a bad idea.
Much of this information can likely be discovered on social networks or public records, including:
- Pet’s name
- Significant dates (e.g., wedding anniversary)
- Date of birth of close relation
- Child’s name
- Other family member’s name
- Place of birth
If other password management best practices are followed, then using this information in a password shouldn’t cause problems. However, it’s always best to leave information that may easily be guessed out of passwords to ensure complete peace of mind.
Change Passwords Immediately After Being Compromised
Once compromised, passwords quickly end up being traded on the dark web. With so many users relying on the same password for multiple services, just one security breach can lead to their identity being compromised across all platforms.
Most platforms will inform users when there has been a data breach. Users may also suspect that their passwords have been compromised if they notice unauthorized login attempts. It’s always best to change passwords immediately after they’re leaked. This prevents any further damage, particularly if the same password is used for multiple user accounts.
Password Requirements by Regulation
PCI
PCI compliance standards for passwords are some of the most comprehensive in the industry. To comply with these standards, a password must have a minimum of seven characters in length. It should also contain both numbers and letters. Furthermore, users must change their passwords every 90 days and their last four passwords can’t be reused. Users are also locked out for 30 minutes after six failed login attempts.
HIPAA
HIPAA doesn’t make specific recommendations about password management. Passwords are only mentioned once in the entire text of HIPAA. Ideally, a HIPAA password policy should be compliant with the latest recommendations from NIST, which suggest using passwords that include a minimum of eight characters among other things.
SOX 404
Much like HIPAA, Sarbanes-Oxley Section 404 is vague and doesn’t outline specific recommendations for password management. The general guidance from security auditors is that organizations should follow NIST recommendations for SOX 404 passwords.
DISA STIG
DISA STIG password requirements are some of the most stringent in the industry since they’re for the U.S. Department of Defense. But that doesn’t mean they’re out of reach for the average organization. The minimum requirements include:
- A password must be at least 15 characters
- It must have upper and lower case letters, numbers, and special characters
- When the password is changed, at least half of the characters in the password must change as well
A Better Password Security Checklist
We’ve created a checklist based on the critical guiding principles for password management discussed above. These are the best practices everyone should follow to improve online security:
☑️ Use unique passwords that are long and easy to remember
☑️ Check a password dictionary to ensure you’re not using a password that many others use
☑️ Never write passwords on a piece of paper or save them in plain text in a browser
☑️ Where possible, leverage a single sign-on (SSO) password manager
☑️ Enable MFA for all accounts, mandatorily for email accounts, as an added layer of protection
☑️ Lockout users after five failed login attempts
Best Practices for Sharing a Password
Sharing passwords can be unsafe but there may be situations where it’s unavoidable. Password sharing might be required among coworkers to access shared resources. For example, a small business that doesn’t use a social media management tool will need to share the login credentials for various social platforms like Facebook, Twitter, and Instagram with multiple employees.
The conventional means of password sharing are far from ideal but they’re what most people rely on today. From sharing username and password combinations over email or messaging apps like Slack to simply writing them down on paper, it’s a potential cybersecurity incident waiting to happen.
To make sharing passwords more secure, you could discuss over the phone the accounts for which the credentials need to be shared. The details can then be split and sent using different platforms. The username could be sent via email while the password through a messaging app. So even if a bad actor were to come across one of the details, at least they may face some difficulty in putting all of the pieces together.
If that still sounds like an unideal scenario to you — you’re absolutely right. If password sharing has to happen in your organization, then you need to consider implementing a password manager to securely share credentials.
Password Management Is No Longer Optional
Back in the day, most organizations would only implement password management policies if they needed to meet regulatory requirements. The scale of the cybersecurity challenges today no longer gives IT admins that luxury. Stolen or weak credentials are the leading cause of data breaches and consequently, a password management policy is now essential for organizations.
The simplest way to do this is with an automated central system to enforce the password management policy across your IT environment, including endpoint devices, servers, applications, and networks. An open directory system would eliminate the need for manual oversight, thus reducing the potential for security lapses.
JumpCloud Can Help You Improve Password Security
JumpCloud IdentityOS® empowers organizations to implement highly effective password management policies. The policies are enforced within the secure environment of users’ JumpCloud-managed Mac and Windows devices.
Users are able to update and manage their credentials without requiring assistance from IT. IdentityOS also enforces password complexity requirements in addition to providing timely reminders for password rotations and updates.
Check out JumpCloud IdentityOS today for ironclad password management.