Password complexity requirements can be confusing for IT organizations. There has been a great deal thrown out about the best practices for password management<\/a> over the years, but some of the data is conflicting. That leaves admins with questions:<\/p>\n\n\n\n
Q:<\/strong> Is it better to just have lengthy passwords<\/a> rather than complex ones? <\/p>\n\n\n\n
Q:<\/strong> What if our organization leverages multi-factor authentication<\/a> (MFA)? Then does it really matter what the password is?<\/p>\n\n\n\n
Let\u2019s dive in!<\/p>\n\n\n\n
Historically, it was assumed that complex passwords are more secure. However, over the past few years, the thinking around passwords has evolved. Enforcing password length is now considered more important than enforcing password complexity.<\/p>\n\n\n\n
When users find themselves juggling multiple passwords with complexity requirements, they tend to pick a simple word or phrase and tack a number and special character onto it. For example: Password123! Longer passwords, on the other hand, are less likely to be compromised because it takes 62 trillion times longer<\/a> to crack a 12-character password than a six-character one. <\/p>\n\n\n\n
Yes, it\u2019s true that 60% of users reuse passwords<\/a> across multiple sets of credentials. Since it takes a single data breach to put their entire online presence at risk, it could be argued that passwords should be rotated often.\u00a0<\/p>\n\n\n\n
In practice however, forcing users to change passwords every few months leads to password fatigue<\/a>. When frequent password rotation<\/a> is enforced, people are more likely to opt for simple and easy to remember passwords that aren’t secure enough.<\/p>\n\n\n\n
It was actively discouraged to use dictionary words in passwords since they could easily be cracked using a brute force attack, and this still holds true for short passwords. It is<\/em> possible to use dictionary words to create very strong passwords, all it requires is a bit of diligence. <\/p>\n\n\n\n
Use four or five lengthy dictionary words with a mix of other characters to create a strong password. For example, \u201ccloud.novella-candlestick.backpack\u201d is a strong password. But be sure you\u2019re using a unique password by checking it against a known password dictionary first.<\/p>\n\n\n\n
You can also leverage dictionary words to create easy-to-remember acronyms. Just take a sentence or, say, the words to a favorite song and then use the first letter of every word to make a random string. \u201cFor those about to rock, we salute you\u201d becomes \u201cftatrwsy\u201d. If you can add in a phrase with numbers, that could be \u201ctoo good to be true\u201d (2g2bt).<\/p>\n\n\n\n
Social engineering attacks rely on information about the user that can easily be obtained to compromise their identity. That’s one of the reasons why passwords with personal information are a bad idea. <\/p>\n\n\n\n
Much of this information can likely be discovered on social networks or public records, including:<\/p>\n\n\n\n
If other password management best practices are followed, then using this information in a password shouldn’t cause problems. However, it’s always best to leave information that may easily be guessed out of passwords to ensure complete peace of mind.<\/p>\n\n\n\n
Once compromised, passwords quickly end up being traded on the dark web. With so many users relying on the same password for multiple services, just one security breach<\/a> can lead to their identity being compromised across all platforms. <\/p>\n\n\n\n
PCI compliance standards for passwords are some of the most comprehensive in the industry. To comply with these standards, a password must have a minimum of seven characters in length. It should also contain both numbers and letters. Furthermore, users must change their passwords every 90 days and their last four passwords can’t be reused. Users are also locked out for 30 minutes after six failed login attempts.<\/p>\n\n\n\n
HIPAA doesn’t make specific recommendations about password management. Passwords are only mentioned once in the entire text of HIPAA. Ideally, a HIPAA password policy should be compliant with the latest recommendations from NIST<\/a>, which suggest using passwords that include a minimum of eight characters among other things.<\/p>\n\n\n\n
Much like HIPAA, Sarbanes-Oxley Section 404 is vague and doesn’t outline specific recommendations for password management. The general guidance from security auditors is that organizations should follow NIST recommendations for SOX 404 passwords.<\/p>\n\n\n\n
DISA STIG password requirements are some of the most stringent in the industry since they\u2019re for the U.S. Department of Defense. But that doesn\u2019t mean they\u2019re out of reach for the average organization. The minimum requirements include:<\/p>\n\n\n\n
We\u2019ve created a checklist based on the critical guiding principles for password management discussed above. These are the best practices everyone should follow to improve online security:<\/p>\n\n\n\n
\u2611\ufe0f<\/strong> Use unique passwords that are long and easy to remember<\/p>\n\n\n\n
\u2611\ufe0f<\/strong> Check a password dictionary to ensure you\u2019re not using a password that many others use <\/p>\n\n\n\n
\u2611\ufe0f<\/strong> Never write passwords on a piece of paper or save them in plain text in a browser<\/p>\n\n\n\n
\u2611\ufe0f<\/strong> Where possible, leverage a single sign-on (SSO) password manager <\/a><\/p>\n\n\n\n
\u2611\ufe0f<\/strong> Lockout users after five failed login attempts<\/p>\n\n\n\n
Sharing passwords can be unsafe but there may be situations where it’s unavoidable. Password sharing might be required among coworkers to access shared resources. For example, a small business that doesn’t use a social media management tool will need to share the login credentials for various social platforms like Facebook, Twitter, and Instagram with multiple employees.<\/p>\n\n\n\n
The conventional means of password sharing are far from ideal but they’re what most people rely on today. From sharing username and password combinations over email or messaging apps like Slack to simply writing them down on paper, it’s a potential cybersecurity incident waiting to happen.<\/p>\n\n\n\n
To make sharing passwords more secure, you could discuss over the phone the accounts for which the credentials need to be shared. The details can then be split and sent using different platforms. The username could be sent via email while the password through a messaging app. So even if a bad actor were to come across one of the details, at least they may face some difficulty in putting all of the pieces together.<\/p>\n\n\n\n
If that still sounds like an unideal scenario to you \u2014 you\u2019re absolutely right. If password sharing has to happen in your organization, then you need to consider implementing a password manager to securely share credentials.<\/p>\n\n\n\n
Back in the day, most organizations would only implement password management policies if they needed to meet regulatory requirements. The scale of the cybersecurity challenges today no longer gives IT admins that luxury. Stolen or weak credentials are the leading cause of data breaches<\/a> and consequently, a password management policy is now essential for organizations.<\/p>\n\n\n\n
JumpCloud IdentityOS\u00ae<\/sup> empowers organizations to implement highly effective password management policies. The policies are enforced within the secure environment of users’ JumpCloud-managed Mac and Windows devices. <\/p>\n\n\n\n
Users are able to update and manage their credentials without requiring assistance from IT. IdentityOS also enforces password complexity requirements in addition to providing timely reminders for password rotations and updates.
Check out JumpCloud IdentityOS<\/a> today for ironclad password management.<\/p>\n","protected":false},"excerpt":{"rendered":"