BASIC PASSWORD POLICIES/PASSWORD LENGTH
The National Institute of Standards and Technology (NIST) sets the least number of characters for a password to be two and there should be no limit or no less than 64 characters supported for passwords. Other security organizations suggest a larger minimum number typically between 12 to 15 characters. Even NIST goes on to point out the longer the password, the more secure the password. I prefer the longer, 15-character minimum requirement.
I also recognize creating long passwords challenges many people. That’s why we've created materials to help you learn how to create long, secure— and memorable — passwords.
PASSWORD COMPOSITION
Passwords consist of a combination of upper- and lower-case alphabetic characters, digits, and special characters.
Best Practice: When requiring a password, provide an example of the acceptable characters. That might look something like this:
“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-?.,”
PASSWORD LIFETIME
This policy establishes how long a password remains valid before it expires. Different organizations set different values, but the most common seem to be 90 days or one year. These days, most people believe 30 days is too short. Another approach is to use shorter periods for higher risk users. For example, system administrators’ passwords might expire after 30-days, while customers only have to update theirs annually. Regular employees’ passwords might be good for 90 days.
Best Practice: Send notifications out to users to inform them their password is about to expire.
PASSWORD REUSE
Don’t allow password reuse. This means:
- An expired can never be used again
- Users can’t set the same password on two different systems Notes: This requires you to securely track previously used passwords to prevent their reuse. The Center for Internet Security recommends setting this to 24 generations. I believe this should never be less than five generations.
PASSWORD RECOVERY
This is the process of recovering a forgotten password. In general, you shouldn’t allow this. If you store passwords securely using a slow, one-way hash algorithm, an extremely secure type of encryption, they won’t be recoverable anyway. Never recover passwords, only replace them.
PASSWORD REPLACEMENT
Some call this password change. It requires several steps. First, the user must verify their identity, even if they don’t remember their password. One way to do this is to provide the user with a one-time password through a trusted channel like a mobile phone or direct conversation. This one-time only password gives them access to the password change operation.
Best Practice: Secure passwords can sometimes be difficult to enter. Offer users the ability to show or hide a password as they enter it.
PASSWORD STORAGE
It isn’t enough to simply store a password; you must store them securely. The best recommendation is to use a secure, slow, one-way hashing, algorithm to store the password. You’ll also need to use a salt – a random piece of data added to a password before you hash and store it – to prevent certain attacks. Look at the Open Worldwide Application Security Project (OWASP) Foundation’s Password Storage Cheat Sheet (https://github.com/OWASP) for details.
PASSWORD TESTING
Security compromises on the Internet seem to be a daily occurrence. One best practice is to use a security testing tool to compare your stored passwords with those on lists of already compromised passwords. The tool will compare the two data sets looking for matches. If it finds any matches, you should report them and block the current account until the user changes the password. Users can test their own passwords with tools like https://haveibeenpwned.com or the built-in test on Firefox and Chrome browsers.
Best Practices: These simple steps can provide some extra help in securing passwords.
USE A PASSWORD MANAGER
Most companies require employees to maintain a dozen or more separate enterprise applications, each requiring different login credentials. This quickly becomes unmanageable, so people often write their passwords on sticky notes and pop it on their desk. Invest in a password manager instead. These tools not only help staff manage their logins, most also can automatically create secure passwords for them.
PASSWORD LIFETIME
Password lifetime, or expiration, has recently become somewhat controversial. Both Microsoft and NIST have stated that passwords don’t need regular expiration. We disagree. We believe passwords should expire, but not as frequently as in the past. Obviously, they should be retired ASAP if there’s a general breach. But we have also seen, in the wake of some of the largest attacks, that it’s taken months or years of observations before passwords are discovered or disclosed. Not changing passwords leaves these systems vulnerable.
DON’T USE PASSWORD HINTS
Some systems try to help users who’ve forgotten their passwords, but this option can make your system vulnerable. Further, using a personal question for verification is also flawed and insecure. Remember when former vice presidential candidate Sarah Palin’s personal email was hacked because the answers to all of her security questions were in her biography? If you must answer these questions for recovery, make up the response and write it down in a secure location. By the way, Microsoft uses both these techniques. They aren’t setting a good example.
LIMIT LOGIN ATTEMPTS
In most cases, there’s no reason to allow more than three login attempts. When a user fails for the third time, take a timeout and prevent another try for a while. I like to start with 15 minutes and double it. After an hour, lock them out until they call the help desk or call center.
USE MULTI-FACTOR AUTHENTICATION (MFA)
Use multi-factor authentication and offer it to your customers. All your employees, associates, staff, and other inside people should be using MFA. Show guests that you care about their security by offering them MFA as well. Microsoft, Google, and Authy have free MFA code generators for Apple and Android phones and the standards that support MFA are free and open source. I didn’t include MFA in the main body of the article because it isn’t directly related to passwords but should be a policy in every secure business.
And In the End …
Train your people how to create good, secure, easy to remember passwords. Avoiding lazy password syndrome, which results in passwords like “LetMeIn,” “password123,” “QWERTY,” and “ILOVEYOU” can only make your systems more secure.