By Rajat Bhargava Posted April 28, 2015
A common tactic that IT admins use to increase the security of their user accounts is to create password requirements. The theory is that more complex passwords are harder for password cracking applications to break.
Sounds straightforward, right? But there is a great deal of debate in the Identity Management world as to whether increasing the complexity or the length of a password actually makes a difference.
Debate on the Importance of Password Complexity
Some will tell you that worrying about those issues isn’t going to make a significant difference. Most hacks don’t really involve people or systems “guessing” a user’s password. Rather, they infiltrate a network and grab the password database. Then they go to work reversing the passwords. In this model, password complexity is a moot point.
Advocates for more complex passwords will say that the more complex the passwords are, the harder it is for users to be compromised. Still, this can ultimately lead to hackers “grabbing” the password file.
An All-Encompassing Solution
Whichever side of the coin you are on, you’ll have the option of employing a variety of different password requirements through JumpCloud’s Directory-as-a-Service®. We go well beyond password length and complexity. JumpCloud’s cloud-based directory service connects users to the IT resources that users need.
Various IT Needs
IT resources can include applications, devices, and networks. IT resources can live on-premises or in the cloud and be a variety of different platforms. When connecting those users to their IT resources, the connection of course involves a username and password. Occasionally the connection can be SSH keys which are even stronger than passwords!
The DaaS Password Solution
Through JumpCloud’s Directory-as-a-Service, IT admins can specify a number of password requirements.
Of course, there are length and complexity requirements, which as we outline above have differing opinions within the industry.
We also add a number of other critical requirements that serve to greatly enhance security. One is a setting on password reuse. Perhaps one of the most underappreciated ways of increasing security, limiting the previous passwords that can be used helps drive unique passwords across personal and professional services.
When combined with password rotation – also a JumpCloud DaaS password setting – users are effectively forced to have unique passwords. JumpCloud’s password requirements also include the ability to limit password resets and also set the number of failed logins.
Password Management and JumpCloud
Password requirements can play a significant role in security. JumpCloud helps in a major way by giving organizations the power to implement regulations over password complexity and re-use.
These fall in line with mandatory requirements in compliance activities. Virtually all major security regulations will contain a number of password requirement controls. For example, PCI Section 8 requires at least 7 characters and an alphabetic character and numeric one as part of their requirements.