Four Rules for a Robust Password Policy

Kris WilkinsonSeptember 14, 2021

A password policy is a simple way to enhance your company’s security. When implemented correctly, a password policy makes it much more difficult for 3rd parties to compromise accounts. A password policy, therefore, lowers the chance that your company might experience a breach. Most modern systems that facilitate authentication can be configured to enforce a password policy.

Ideally, each user’s password should be as strong as possible. What leads to a strong password? For one, length and complexity, but there’s more to it. Did you know a 10-character password with lowercase letters can be cracked in 58 seconds? Read on to learn more about what makes up a strong password and other factors to consider for your organization’s password policy.

1. Minimum Length 

Minimum length is the most essential part of the policy. A strong password policy should enforce a minimum length. While computers are powerful, longer passwords ultimately take longer to guess or crack.

Here’s how long it takes to break passwords:

(Source)

Passwords should be at least 12 characters long – and preferably include two or more types of symbols.

2. Complexity requirements

Complexity can also complement length. Passwords should contain both uppercase and lowercase letters, as well as numbers and some special characters ($#@%!). The more complex a password is, the less likely it is to be breached.

3. Password Age

There are two types of password ages: maximum and minimum.

A maximum password age policy requires passwords to be changed every certain number of days – usually 180. Changing passwords twice a year lowers the chance of a data breach.

A minimum password age requires a password to be used for a certain amount of time before being changed. This is useful to prevent users from changing passwords infinitely until they can successfully retrieve their old passwords.

Using a maximum and minimum password age will help you draft a more secure password policy.

4. Password Reuse or History

Passwords should never be reused:

  • On a single system (e.g., using a previous password) or
  • On multiple systems (e.g., using the same password at the same time for multiple systems)

When an online service is compromised, 3rd parties often attempt to use the credentials they captured to log in to other services. MANY major online services have suffered breaches in the last decade. Don’t assume that you weren’t impacted.

Verify if your credentials were compromised by visiting Have I Been Pwned. This website offers a free service to search through past breaches. If you discover that you were included in a breach, ensure to change your password on any services that shared the same password immediately.

From a policy perspective, restricting password history will prevent users from reusing old passwords. Therefore, disallowing the use of old passwords- and forcing a change every 180 days- will help increase security for your organization.

Additional Security Measures

Passphrasing

Remembering passwords can be difficult, especially when they are at least 12-characters long, have complexity, and cannot be reused. Passphrasing offers a simple solution by allowing you to use random words in a phrase for your password.

For example:  Bottle-Carp3t-Stick-22!!

The general idea is to pick 3-4 words that don’t make sense together and add some complexity. Instead of remembering a password of random chaos, use a phrase that is simple to remember.

Check out Use a Passphrase for more information and a passphrase generator.

Multi-Factor Authentication

Multi-Factor Authentication should complement every strong password policy.

MFA is a login feature that helps verify identity. It also protects against identity-based attacks: a 3rd party attempting to gain access to an account, which often occurs due to poor password management. Multi-Factor Authentication introduces a secondary verification step that blocks 99.9% of attempted attacks. Even if a malicious party knows a user’s credentials, MFA will stop them from accessing the account.

When MFA is active, a random code or prompt (push notification) is sent to a user’s mobile device to confirm their identity. Microsoft released an article on the success rate of Multi-Factor Authentication. For more information on MFA, check out our article here.

Password Manager

There is a tool to assist with the storage and generation of strong passwords, and that is a password manager. A password manager will securely store passwords from various logins. Some password managers will even allow you to generate a strong password for use. With the memory feature of a password manager, there’s no need to remember the password you set.

Using a password manager can help with the enforcement of your password policy. If users no longer worry about remembering their passwords, it becomes easier to create abstract, long, or complex passwords.  Therefore, a Password Manager will enhance security for your organization.

We use and recommend LastPass as a password security solution.

Conclusion

Password policies are both simple and effective. Password policies can increase your company’s security by forcing users to use more strong passwords. An effective password policy should include:

  • Minimum length
  • Complexity requirements
  • Password Age
  • Password Reuse and History

Some additional tools to help security for your organization are:

  • Multi-Factor Authentication
  • Password Managers

Thanks for reading. If you have any questions about how to implement a strong password policy in your organization, or you’re looking for help with your cybersecurity needs, reach out to us.