Password Policy Best Practices
World Password Day is Thursday, May 5, which is a good reminder that strong password policies are crucially important to a sound cybersecurity practice. Password guessing based on publicly available information is one of the most common tactics of malicious actors. Weak passwords also remain a top cause of data breaches for organizations of all types and sizes.
As a Network Administrator, you may already be in the spring cleaning mood and ready to re-examine your current policies for areas of improvement. Here are some best practices we recommend:
Enforce High-Complexity Passwords
To simulate the methods of real-world malicious actors, our assessment team has hardware that generates 15-20 billion passwords per second. That means we can try every password 8 characters or shorter in minutes, and passwords 9 characters or shorter in about four hours. Additionally, attackers have password dictionaries and guessing logic at their disposal. Our team’s list of 1.2 billion common passwords cracks about 20% of stolen password hashes in less than a second.
For effective passwords today, length is king. We suggest enforcing password requirements with 15-character minimums, which we’ve found to be even more effective than password complexity.
That said, complexity requirements like minimum numbers of symbols, digits, and capital letters can only help make your users’ passwords tougher to guess. One easy trick for coming up with high-complexity passwords that effectively thwart guessing tools is making acronyms out of sentences that have meaning to the user and are not easily guessed. For example, “my daughter was born on a Thursday at 11 pm at Peter Lougheed Hospital” equates to mdwboaT@11pm@PLH.
Require Passwords to be Changed Regularly
This rule always makes end-users roll their eyes, but here’s one bit of good news: if you have high length and complexity requirements, the intervals between password changes do not need to be frequent.
In fact, we now recommend a one-year interval for password expiries because studies have shown that more frequent changes wind up encouraging users to choose weaker new passwords. This will be enough to make a moving target out of an already difficult target for attackers to hit based on the length and complexity requirements.
Use Multi-Factor Authentication (MFA)
Is it a bit more time-consuming for users to enter a code texted to their mobile number every time they log in? Yes. Does it pay off when combined with the other two measures listed above? Absolutely. Multi-factor authentication is easy to implement, and while we realize we sound like a broken record whenever we recommend MFA to any organization not using it, iON will always advocate for this measure because it works very well.
For organizations with multiple products and platforms that require authentication, you can make life easier by implementing a Single-Sign-On (SSO) solution. These tools let your users synchronize passwords between devices by letting them use one password as a key for high-complexity passwords that the tool automatically generates and stores. Most every SSO tool incorporates multi-factor authentication, making MFA much more tolerable when there is only one accompanying password to go with it. The multiple passwords they store fill password fields automatically and typically support multiple operating systems, browsers, and mobile device platforms.
While SSO may sound inherently less secure because it makes for only one password to remember, it isn’t, because these tools use strong encryption whenever transmitting that single password.
To Sum Up…
With just these above measures in place, you’ll be addressing the vast majority of security risks associated with weak password policies.
Happy World Password Day, everybody!
You might also like
iON Celebrates its 20th Anniversary in Cybersecurity
CALGARY, AB, March 2023 – iON United Inc. (iON), a leading cybersecurity solutions provider in Canada, is celebrating its 20th anniversary this March. Since its inception, iON has been at the forefront of the cybersecurity industry in Canada, helping organizations protect their valuable assets from cyber threats. This 20-year milestone is a testament to our…
Employee Spotlight: Meet Whitney Melrose
iON is excited to shine our Employee Spotlight on Senior Manager, Inside Sales – Whitney Melrose.Meet Whitney MelroseShaped by her early experiences growing up on a farm in Saskatchewan, Whitney’s professional work ethic was formed from essential values instilled in her upbringing.My love for helping others in my career came from helping my family on…
Employee Spotlight: Meet Laurence Bullivant
iON is excited to shine our Employee Spotlight on Senior Network Architect, Laurence Bullivant.Meet Laurence BullivantLaurence travelled round the world before landing in Canada and working for iON. Originally from New Zealand, he studied Computer Science at university, where he excelled in his courses and grew his knowledge. In his second year, he decided to…