Password Policy Best Practices
World Password Day is Thursday, May 5, which is a good reminder that strong password policies are crucially important to a sound cybersecurity practice. Password guessing based on publicly available information is one of the most common tactics of malicious actors. Weak passwords also remain a top cause of data breaches for organizations of all types and sizes.
As a Network Administrator, you may already be in the spring cleaning mood and ready to re-examine your current policies for areas of improvement. Here are some best practices we recommend:
Enforce High-Complexity Passwords
To simulate the methods of real-world malicious actors, our assessment team has hardware that generates 15-20 billion passwords per second. That means we can try every password 8 characters or shorter in minutes, and passwords 9 characters or shorter in about four hours. Additionally, attackers have password dictionaries and guessing logic at their disposal. Our team’s list of 1.2 billion common passwords cracks about 20% of stolen password hashes in less than a second.
For effective passwords today, length is king. We suggest enforcing password requirements with 15-character minimums, which we’ve found to be even more effective than password complexity.
That said, complexity requirements like minimum numbers of symbols, digits, and capital letters can only help make your users’ passwords tougher to guess. One easy trick for coming up with high-complexity passwords that effectively thwart guessing tools is making acronyms out of sentences that have meaning to the user and are not easily guessed. For example, “my daughter was born on a Thursday at 11 pm at Peter Lougheed Hospital” equates to mdwboaT@11pm@PLH.
Require Passwords to be Changed Regularly
This rule always makes end-users roll their eyes, but here’s one bit of good news: if you have high length and complexity requirements, the intervals between password changes do not need to be frequent.
In fact, we now recommend a one-year interval for password expiries because studies have shown that more frequent changes wind up encouraging users to choose weaker new passwords. This will be enough to make a moving target out of an already difficult target for attackers to hit based on the length and complexity requirements.
Use Multi-Factor Authentication (MFA)
Is it a bit more time-consuming for users to enter a code texted to their mobile number every time they log in? Yes. Does it pay off when combined with the other two measures listed above? Absolutely. Multi-factor authentication is easy to implement, and while we realize we sound like a broken record whenever we recommend MFA to any organization not using it, iON will always advocate for this measure because it works very well.
For organizations with multiple products and platforms that require authentication, you can make life easier by implementing a Single-Sign-On (SSO) solution. These tools let your users synchronize passwords between devices by letting them use one password as a key for high-complexity passwords that the tool automatically generates and stores. Most every SSO tool incorporates multi-factor authentication, making MFA much more tolerable when there is only one accompanying password to go with it. The multiple passwords they store fill password fields automatically and typically support multiple operating systems, browsers, and mobile device platforms.
While SSO may sound inherently less secure because it makes for only one password to remember, it isn’t, because these tools use strong encryption whenever transmitting that single password.
To Sum Up…
With just these above measures in place, you’ll be addressing the vast majority of security risks associated with weak password policies.
Happy World Password Day, everybody!
You might also like
Employee Spotlight: Meet Kate Pavlovska
iON is delighted to shine the Employee Spotlight on our Staff Accountant, Kate Pavlovska. Kate joined iON as part of the Wirefire acquisition of May 2021 and we’re very glad to have her on our team!Meet Kate PavlovskaBorn and raised in Ukraine, Kate’s education laid the foundation for her career success. She earned a bachelor’s…
Canada’s New Cybersecurity Legislation
Recently, the Government of Canada introduced new legislation, Bill C-26, to amend the Telecommunications Act and the Canada Evidence Act and introduce new cybersecurity regulations to protect critical infrastructure.The parts of the bill grabbing all the headlines include the removal and replacement of Huawei and ZTE equipment from Canada’s telecom networks. What’s not getting as…
Employee Spotlight: Meet Kurt Pomeroy
Welcome to the first of iON’s new Employee Spotlight! Over the coming months, we’ll put the spotlight on some of the team members who make iON great. We’ll go beyond their job responsibilities and provide a glimpse of who these extraordinary individuals are that work at iON. We’ll start this series with a feature on…