In today’s technology driven world, passwords are a necessity. They keep our private personal data safe. We have passwords for our email, our online banking, any online accounts we subscribe to and many more. Most companies also use and manage company- wide password protection for the business itself as well as its employees who work there. As passwords are sensitive data, they need to be used, stored, and managed properly. Most companies have password policies in place that they expect their employees to follow.
There have been recent recommendations that have led to changes around password policies by the National Institute of Standards and Technology (NIST), who write the definitive guidelines on passwords.
So, what are password policy practises and why should your organisation have a password policy in the first place?
Bad policies, bad passwords and you
Passwords are meant to keep sensitive company data safe, yet it turns out they have become a source of problems. Users tend to choose weak or simple to guess passwords. They often reuse the same passwords over multiple services. According to the figures, the problem runs a little deeper.
According to the 2019 State of Password and Authentication Security Behaviors report by the Ponemon Institute, 69% pf respondents share their credentials with colleagues. Another recent survey showed that two-thirds of companies don’t change passwords. The reasoning behind this concerning statistical figure is that over half of employees avoid changing their passwords because they worry, they will forget their new passwords, think the practise is irksome, or they just don’t see the point in changing their passwords at all.
In the Verizon 2019 Data Breach Investigations Report, phishing and credential compromise are the two most popular attack techniques used by hackers today. This is precisely why companies create and use passwords, to prevent these types of attacks, which compromise the integrity of the company, its clients, as well as its employees.
The need for strong password policy practises
Clear password policies are essential for any organisation. Password policies help set the rules on how passwords need to be created, when they need to be changed, and how they need to be managed properly to ensure the safety of company-wide sensitive information, as well as personal information. Best password policy practises benefit businesses in the following ways:
- The risk of data losses and data breaches due to credentials compromise is lowered.
- Password policies make password management easy and transparent.
- It sets clear, specific rules and requirements for employees to follow.
- Evaluate the effectiveness of the tools and approaches used.
- Password policy procedures ease compliance with password security standards and regulations.
Clearly, there are many company wide benefits to having a robust password policy. However, where do the actual guidelines come from that companies follow?
Who issues password guidelines?
The National Institute of Standards and Technology oversees the guidelines which govern password policy practises. They have been issuing them since 2014. There have been a few revisions over the years, the most recent in 2019. The NIST password guidelines cover the best required practices for password creation and management, as well as requirements for how to validate these passwords.
The aim of the NIST password guidelines is to help organisations make strong passwords which provide security for users, the businesses they work for and have strictly controlled access. These guidelines allow organizations and companies to better protect themselves against any unwanted intrusion attempts.
Other big names in creating password policy guidelines are Microsoft and The US Department of Homeland Security (DHS).
Outdated password management policies.
Once upon a time, there was a set of fundamental criteria that most organisations built their password policies around. The criteria tended to include the following three main password security guidelines:
- Required regular password changes.
- Each password must be unique and not previously used in any form.
- The passwords needed to be complex: consisting of alphabetic (both uppercase and lowercase) and numeric characters, and other special symbols.
These guidelines decades old and have been implemented in most business settings. Using these three principles isn’t necessarily wrong. However, they are no longer able to provide the support needed for modern day internet security needs.
The fact that around 57% of people still employ these outdated practices means that the door for phishing and malware attacks is still very much open for attackers. We’ve grown accustomed to the outdated recommendations and need to apply new password management practices to ensure maximum security. This brings us to the next crucial topic.
New recommendations for password policies.
The NIST has published a revised set of guidelines which now cover today’s security needs. Here is an overview of those new guidelines as it pertains to the existing password policy practises. Here are five key password policy recommendations:
- Strong passwords over complexity
- Get rid of mandatory password changes.
- Restrict reusing passwords.
- Store passwords securely
- Use advanced cybersecurity measures.
These recommendations are summarised from NIST, Microsoft, and the DHS. We will take a closer look at each recommendation below.
- Strong passwords over complexity
Complex passwords for a long time were considered the gold standard of secure passwords. Complex passwords were passwords with special characters and capitalised letters in them. However, recently this has changed in favour of strength. A strong password includes complexity, but it also includes two more characteristics: length and unpredictability. So, a strong password is complex, long, and hard to guess. Some ways to update your password policy so it focuses on making strong passwords include:
- Setting a minimum password length-both Microsoft and NIST recommend forbidding passwords that are shorter than 8 characters.
- Leave out special characters-If you require special characters, the passwords are not easy to remember, and they aren’t very secure as it turns out.
- Make passphrases a thing-combining several words into a passphrase is great way to create a strong password. Passphrases are incredibly easy to remember, but super hard to crack according to NIST SP 800-63.
- Long passwords should be allowed: Maximum password length limits needn’t be too strict, especially if you are allowing passphrases. NIST suggests setting the maximum limit not less than 64 characters when using passphrases.
- No common passwords allowed: Microsoft suggests restricting the use of all widely used passwords. For example, not allowing the use of ‘password1’ or ‘qwerty’.
- Get rid of mandatory password changes.
The old guidelines recommended having policies for mandatory password changes to avoid problems with password aging. Most security standards recommended setting the minimum age of a password from three to seven days and the maximum age anywhere between three to six months. However, the NIST recently updated these guidelines.
The new recommendations are to not require mandatory every three-month password changes if there is no evidence of a security breach. This is only part of the argument. The NIST further argues the tendency for a user to look for patterns and only change a few letters or numbers, weakens the password, making it less secure. Not only that, if a hacker already has the user’s information, and the user only makes slight changes to their password, the mandatory password change is pointless.
- Restrict reusing passwords.
More than half of people use a single password for multiple accounts, both personal and corporate, according to the Ponemon Institute. This obviously poses a threat to your business, if an employee gets compromised outside of work and is using the same password for their corporate account, then your business could be facing a data breach as well. Here are two things you can do to avoid this potential problem:
- Ban the use of at minimum the last five previous passwords.
- Enforcing password history in order to detect the repeated use of a password.
These two tips will help your users pick different passwords and not use the same ones over and over, increasing the risk of being hacked.
- Store passwords securely
Keeping track of passwords is convenient, especially for detecting password reuse. However, the priority needs to always be on security. Ensuring secure storage of all passwords within your network is a must. The following two rules will help keep your passwords secure:
- Use a password manager: Using a privileged access management tool with password management capabilities can help your business accomplish two things at once. For starters, it’s easier to work with complex, long passwords, as users will not have to remember every password. Secondly, a tool like this will also securely store your passwords In a password vault.
- Encrypt your passwords: If you want to make it even more difficult for attackers to compromise your passwords, then you should use encryption for passwords. Selecting a password management tool and/or an identity and access management tool that offers such capabilities is a good choice.
- Use advanced cybersecurity measures.
Basic password security requirements aren’t enough if you want your system to be well protected. Therefore, adding multi-factor authentication to your password policy is essential for an added security measure, as both Microsoft and NIST recommend.
Traditionally, authentication methods only require a user to input their login and password. Adding one more factor as confirmation of the identity of a user logging in is a great way to prevent an attacker from breaching your system. MFA solutions include adding a second identity-checking factor, a confirmed mobile device or a user’s biometrics for example, to the login process, thus ensuring the user is who they say they are and is allowed access to this account. Basically, MFA technology ensures better protection of the asset protected by the password rather than protecting the password itself.
Other new password policy recommendations
Besides the aforementioned recommendations, there are a couple more worth mentioning. The old recommendations relied heavily on the alphanumeric system as previously discussed. In other words, choosing upper and lowercase letters, numbers, and special characters. The new guidelines suggest using a more dynamic system. As mentioned earlier, they no longer recommend using special characters, but they also recommend users crafting their passwords by comparing them to a list of what are considered to be weak passwords. They also recommend comparing them to passwords that caused security breaches as well.
One way to do this is by using the site Have I Been Pwned. This site keeps records of major ID and password breaches. Users can also check to see if any of their logins have been compromised.
You can just check if a password exists in the breach database. This is useful for comparison against any passwords you are trying to create. Have I been Pwned is a great resource for having your users compare their passwords against, in order to make sure that they are creating and using strong passwords.
Another recommendation that NIST has completely reversed it’s previous perspective on since the last guideline revisions is copying and pasting passwords. Originally, they were completely against enabling copy/paste features when typing passwords. The new guidelines however reverse this recommendation. The Institute’s reasoning behind this change in the guidelines has to do with encouraging employees to stick with complex passwords. If an employee is forced to have type, from memory, a long, complex password, and then they are expected to have to change it, not use any repeated passwords, etc, the likelihood of them choosing to use a strong password is basically no chance at all.
However, by allowing copy/pasting features for passwords, that same employee is way more likely to not use simpler passwords but make use of a password manager. Password managers will then allow them to generate random passwords, which were automatically strong, store them for convenient use and security will not be compromised.
Conclusion
There have been many changes to existing password policy practises, and following the new updated guidelines is essential for keeping your enterprises safe and secure. Having a designated set of best password policy guidelines is necessary for your company to implement for all employees.
Regina Wheeler, an elearning consultant at Assignment writing services and PhD Kingdom, has been involved in many projects. She discusses and writes on topics such as management, marketing and finances. She also writes for Next Coursework.