{"id":5774,"date":"2022-08-24T09:31:38","date_gmt":"2022-08-24T13:31:38","guid":{"rendered":"https:\/\/www.jumpcloud.com\/blog\/?p=5774"},"modified":"2024-01-29T16:34:41","modified_gmt":"2024-01-29T21:34:41","slug":"best-practices-password-management","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/best-practices-password-management","title":{"rendered":"Password Management Best Practices"},"content":{"rendered":"\n

Password complexity requirements can be confusing for IT organizations. There has been a great deal thrown out about the best practices for password management<\/a> over the years, but some of the data is conflicting. That leaves admins with questions:<\/p>\n\n\n\n

Q:<\/strong> Is it better to just have lengthy passwords<\/a> rather than complex ones? <\/p>\n\n\n\n

Q:<\/strong> Should passwords be rotated? If so, how often? And how many of the previous passwords should be off limits? <\/p>\n\n\n\n

Q:<\/strong> What if our organization leverages multi-factor authentication<\/a> (MFA)? Then does it really matter what the password is?<\/p>\n\n\n\n

We\u2019ve got answers to these questions and more below. While no password policy is a panacea, there are a number of best practices your organization can follow to promote better identity security. We also recognize that many organizations already have standards or are required to follow specific approaches based on their compliance requirements.<\/p>\n\n\n\n

Let\u2019s dive in!<\/p>\n\n\n\n

Guiding Principles of Password Management <\/h2>\n\n\n\n
\"password<\/figure>\n\n\n\n

Longer Is Better<\/h3>\n\n\n
\n
\"graphic<\/figure><\/div>\n\n\n

Historically, it was assumed that complex passwords are more secure. However, over the past few years, the thinking around passwords has evolved. Enforcing password length is now considered more important than enforcing password complexity.<\/p>\n\n\n\n

When users find themselves juggling multiple passwords with complexity requirements, they tend to pick a simple word or phrase and tack a number and special character onto it. For example: Password123! Longer passwords, on the other hand, are less likely to be compromised because it takes 62 trillion times longer<\/a> to crack a 12-character password than a six-character one. <\/p>\n\n\n\n

Finding the right balance between length and complexity is crucial. Most security professionals advise that passwords should be a minimum of 12 characters in length and include at least numbers and special characters.<\/p>\n\n\n\n

Password Rotation is Less Valuable than Unique Passwords<\/h3>\n\n\n
\n
\"password<\/figure><\/div>\n\n\n

Yes, it\u2019s true that 60% of users reuse passwords<\/a> across multiple sets of credentials. Since it takes a single data breach to put their entire online presence at risk, it could be argued that passwords should be rotated often.\u00a0<\/p>\n\n\n\n

In practice however, forcing users to change passwords every few months leads to password fatigue<\/a>. When frequent password rotation<\/a> is enforced, people are more likely to opt for simple and easy to remember passwords that aren’t secure enough.<\/p>\n\n\n\n

The best idea is to require longer and stronger passwords that will be difficult to compromise in the first place, enforce rotation occasionally or in the event of a breach, and then implement policies that prevent the resuse of previous passwords.<\/p>\n\n\n\n

Dictionary Words are Fine if the Password is Long Enough<\/h3>\n\n\n\n

It was actively discouraged to use dictionary words in passwords since they could easily be cracked using a brute force attack, and this still holds true for short passwords. It is<\/em> possible to use dictionary words to create very strong passwords, all it requires is a bit of diligence. <\/p>\n\n\n\n

Use four or five lengthy dictionary words with a mix of other characters to create a strong password. For example, \u201ccloud.novella-candlestick.backpack\u201d is a strong password. But be sure you\u2019re using a unique password by checking it against a known password dictionary first.<\/p>\n\n\n\n

You can also leverage dictionary words to create easy-to-remember acronyms. Just take a sentence or, say, the words to a favorite song and then use the first letter of every word to make a random string. \u201cFor those about to rock, we salute you\u201d becomes \u201cftatrwsy\u201d. If you can add in a phrase with numbers, that could be \u201ctoo good to be true\u201d (2g2bt).<\/p>\n\n\n\n

Keep User and Personal Information out of the Password <\/h3>\n\n\n
\n
\"graphic<\/figure><\/div>\n\n\n

Social engineering attacks rely on information about the user that can easily be obtained to compromise their identity. That’s one of the reasons why passwords with personal information are a bad idea. <\/p>\n\n\n\n

Much of this information can likely be discovered on social networks or public records, including:<\/p>\n\n\n\n