Password Policy Best Practices
World Password Day is Thursday, May 5, which is a good reminder that strong password policies are crucially important to a sound cybersecurity practice. Password guessing based on publicly available information is one of the most common tactics of malicious actors. Weak passwords also remain a top cause of data breaches for organizations of all types and sizes.
As a Network Administrator, you may already be in the spring cleaning mood and ready to re-examine your current policies for areas of improvement. Here are some best practices we recommend:
Enforce High-Complexity Passwords
To simulate the methods of real-world malicious actors, our assessment team has hardware that generates 15-20 billion passwords per second. That means we can try every password 8 characters or shorter in minutes, and passwords 9 characters or shorter in about four hours. Additionally, attackers have password dictionaries and guessing logic at their disposal. Our team’s list of 1.2 billion common passwords cracks about 20% of stolen password hashes in less than a second.
For effective passwords today, length is king. We suggest enforcing password requirements with 15-character minimums, which we’ve found to be even more effective than password complexity.
That said, complexity requirements like minimum numbers of symbols, digits, and capital letters can only help make your users’ passwords tougher to guess. One easy trick for coming up with high-complexity passwords that effectively thwart guessing tools is making acronyms out of sentences that have meaning to the user and are not easily guessed. For example, “my daughter was born on a Thursday at 11 pm at Peter Lougheed Hospital” equates to mdwboaT@11pm@PLH.
Require Passwords to be Changed Regularly
This rule always makes end-users roll their eyes, but here’s one bit of good news: if you have high length and complexity requirements, the intervals between password changes do not need to be frequent.
In fact, we now recommend a one-year interval for password expiries because studies have shown that more frequent changes wind up encouraging users to choose weaker new passwords. This will be enough to make a moving target out of an already difficult target for attackers to hit based on the length and complexity requirements.
Use Multi-Factor Authentication (MFA)
Is it a bit more time-consuming for users to enter a code texted to their mobile number every time they log in? Yes. Does it pay off when combined with the other two measures listed above? Absolutely. Multi-factor authentication is easy to implement, and while we realize we sound like a broken record whenever we recommend MFA to any organization not using it, iON will always advocate for this measure because it works very well.
For organizations with multiple products and platforms that require authentication, you can make life easier by implementing a Single-Sign-On (SSO) solution. These tools let your users synchronize passwords between devices by letting them use one password as a key for high-complexity passwords that the tool automatically generates and stores. Most every SSO tool incorporates multi-factor authentication, making MFA much more tolerable when there is only one accompanying password to go with it. The multiple passwords they store fill password fields automatically and typically support multiple operating systems, browsers, and mobile device platforms.
While SSO may sound inherently less secure because it makes for only one password to remember, it isn’t, because these tools use strong encryption whenever transmitting that single password.
To Sum Up…
With just these above measures in place, you’ll be addressing the vast majority of security risks associated with weak password policies.
Happy World Password Day, everybody!
You might also like
iON at the Western Canada Information Security Conference
The Western Canada Information Security Conference is back on May 16-17! This year’s event will once more bring together IT Security and Audit professionals plus OEM and local vendors for two days of top-notch presentations and excellent networking opportunities. The top names in cybersecurity will be well represented at this year’s event, so if you’re…
ICS Malware: Industroyer2 and Pipedream
Last week, two new ICS malware tools were unveiled to the world that have the potential to wreak havoc on North American industrial control systems.Industroyer2Industroyer2 was a major component of a recent, unsuccessful attack on high-voltage electrical substations in Ukraine. This attack was linked to Sandworm, a threat group affiliated with Russia’s GRU military intelligence…
Sequent AI Announces Acquisition of iON United Inc.
TORONTO, ON, April 20, 2022 – Sequent AI (“Sequent”) is pleased to announce its acquisition of iON United Inc. (iON), one of Canada’s most reputable cybersecurity solution providers. This strategic investment accelerates the company’s ability to offer new services to valued customers, deepen partner relationships, and meet the demand of a growing industry through the…