Ensuring strong password security is crucial as passwords serve as the initial defense against cybercriminals seeking unauthorized access to your data.

Password Basics

  • Passwords have been used in computer systems since the earliest days of computing.

    The Compatible Time-Sharing System (CTSS), an operating system introduced at MIT in 1961, was the first computer system to implement a password-based login.

    Passwords are the easiest form of computer security to implement, and over the years, security experts have tried to make passwords harder to crack.

    By enforcing various system specific rules on the creation and use of passwords, having a proper Password Policy in place is one of the easiest things an organization can put in place to protect itself from the misuse of valuable company information.

  • The goal of a proper password policy is to make passwords harder to crack by enforcing various system specific rules on the creation and use of passwords.

    As easy as they are to implement, however, the wide variety of password policies have had a debatable effect on the overall security of computer systems.

    Some of the larger players in the Information Technology (IT) standardization area (NIST, Microsoft, etc.) have recently developed new password policies based on two primary principles:

    1. Leveraging real-world data on how attackers work

    2. Making it easier for users to create, remember, and use secure passwords (the human factor)

    The goal of any password policy to consolidate this new password guidance in one place: ideally, a single comprehensive password policy can serve as a standard wherever a password policy is needed.

    The most common methods for developing password policies seek to develop and maintain the Center for Internet Security Controls® and CIS Benchmarks™ standards, and include additional real-world input from the CIS-managed Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®).

    The intention in developing a password policy for your to reinvent the wheel, but rather to apply standards and existing documented best practices in a single source.

    Your organization’s password policy should not created to focus on the password itself, but the overall goal of what a password is.

    Passwords provide strong user authentication and help to keep attackers out of systems.

    However, even the strongest password requires other protections to be in place to be most effective (e.g. Multi-Factor Authentication (MFA), account lockouts, account monitoring, etc.).

    MFA is a highly effective security technique, and even though there is a section devoted to it (see 6 Multi-Factor Authentication), it deserves a special mention as a tool in the creation of any password policy.

  • The Center for Internet Security recommends the following as a minimum set of standards to be observed in a good Password Policy:

    Password Length (Min):

    PW Only Account: 14 Characters

    MFA Account (PW Factor): 8 Characters

    Password Length (Max): No limit.

    Password Composition:

    PW Only Account: Require at least 1 non-alphabetic character

    MFA Account (PW Factor): No composition requirement.

    Password Expiration: Change immediately based on events, with a one-year expiration “backstop” (annual).

    Password Banning: Top 20 or more common bad passwords checked on new password creation.

    Previously Used PW List: Last 5 or more.

    Password Change Delay: 1 day or more.

    Session Lock When Idle: Set to 15 minutes of idle time or less and the Session Lock login should be the same type as the normal account login.

    Limit Failed Login Attempts: Temporary account lockout (15 minutes or more) after 5 consecutive failed attempts or time doubling throttling (in minutes) between each retry (0, 1, 2, 4, 8, etc.).

    In both cases a permanent account lockout (IT reset required) after 10 consecutive failed attempts.

    Monitor Failed Login Attempts: Alert key personnel when above login limit is reached.

    Suspend Accounts on Non-Use: Automatically suspend the account after 45 days without a valid login.

    Password Hints (Login): No password hints should ever be given at login.

  • Passwords alone are not the best security solution.

    MFA, sometimes referred to as Two-Factor Authentication (2FA), is a security enhancement that allows the user to present two, or more, pieces of evidence (referred to as factors) when logging in to an account.

    MFA has proven to be a successful way to help with account compromises.

    This is due to the fact that the attacker needs to gain multiple pieces of information from the user instead of one. This proves to be troublesome for attackers and they generally don’t compromise MFA accounts.

    MFA factors can fall into any of these three categories:

    • Something You Know: A password or Personal Identification Number (PIN)

    • Something You Have: A smart card, security token, an authentication application or a Short Message Service (SMS) text to the user’s mobile phone

    • Something You Are: A fingerprint or retina pattern

    The user’s factors must come from two different categories to enhance security, so entering two different passwords would not be considered multi-factor authentication.

    MFA is the most secure user authentication method available on the market today, and this additional security measure has minimal impact on usability.

    “Two-step” or “multi-step” authentication is not the same as 2FA or MFA. “Two-step” or “multi-step” authentication involves the subsequent presentation of one or more additional authentication steps to the target system after the first step is successfully performed.

    Each of these steps may or may not have a different authentication factor involved. In essence, each step is an independent “gate” and success in each step gets the user closer to the goal of target system access.

    2FA or MFA authentication is a stronger approach that involves the presentation of all the factors simultaneously to form one credential that the target system checks for validity. The target system passes or fails the credential as a whole with no indication of what factor failed.

    It is possible to use 2FA or MFA as one of the steps in a “two step” or “multi-step” authentication process.

  • ATTACK/ FREQUENCY/ DIFFICULTY:

    Credential Stuffing (Breach replay, list cleaning):

    Probability: Very high: +20M accounts probed daily in MSFT ID systems

    Difficulty: Very easy.

    How: Purchase creds gathered from breached sites with bad data at rest policies, test for matches on other systems.

    Phishing (Man-in-the-middle, credential interception):

    Probability: Very high: 0.5% of all inbound emails.

    Difficulty: Easy.

    How: Send emails that promise entertainment or threaten, and link user to doppelganger site for sign-in. Capture credentials. Use Modlishka or similar tools to make this very easy.

    Keystroke logging (Malware, sniffing):

    Probability: Low

    Difficulty: Medium.

    How: Malware records and transmits usernames and passwords entered, along with everything else, so attackers have to parse things. Clicking links, running as administrator, not scanning for malware.

    Local discovery (Dumpster diving, physical recon, network scanning):

    Probability: Low

    Difficulty: Difficult.

    How: Search user’s office or journal for written passwords. Scan network for open shares. Scan for creds in code or maintenance scripts. Writing passwords down (driven by complexity).

    Extortion (Blackmail, insider threat):

    Probability: Very low

    Difficulty: Difficult.

    How: Threaten to harm or embarrass human account holder if credentials aren’t provided.

    Password spray (Guessing, hammering, low and-slow):

    Probability: Very high. Accounts for at least 16% of attacks. Millions of accounts probed daily. Sometimes +100K accounts broken per day.

    Difficulty: Low

    How: Use easily acquired user lists, attempt the same password over a very large number of usernames. Regulate speed and distributed across many IPs to avoid detection. Tools are readily and cheaply available.

    Brute force (Database extraction, cracking):

    Probability: Very low.

    Difficulty: Varies.

    How: Penetrate network to extract files. Can be easy if target organization is weakly defended (e.g. password only admin accounts). More difficult if appropriate defenses of database, including physical and operation security, are in place.

    Perform hash cracking on password:

    Probablity: Low

    Difficulty: Varies with encryption used.

    How: Varied methods depending on attacker sophistication.

In Depth: Password Policy Recommendations

  • In keeping with the overall goal of having users create a password that is not overly weak, an eight-character minimum password length is recommended for an MFA account, and 14 characters for a password only account.

    In addition, maximum password length should be made as long as possible based on system/software capabilities and not restricted by policy.

    In general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable.

    Having a reasonable minimum length with no maximum character limit increases the resulting average password length used (and therefore the strength).

  • Password composition or complexity requirements are often used to increase the strength of a user-created password of a given length.

    For example, a complex password would need some amount of characters from all three of the following categories:

    • Uppercase characters

    • Lowercase characters

    • Non-alphabetic characters such as numbers or special characters like <*&(^%$>!:

    There is no standard for password composition in use today, so it is very common for these requirements to vary from system to system (e.g., system one allows special characters, but system two does not).

    Passwords that are too complex in nature make it harder for users to remember, leading to bad practices.

    In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords.

  • Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other.

    In these cases, the next password can be predicted based on the previous one (incrementing a number used in the password for example).

    Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them.

    Instead, immediate password changes should be based on key events including, but not limited to:

    • Indication of compromise

    • Change of user roles

    • When a user leaves the organization.

    Not only does changing passwords every few weeks or months frustrate the user, it’s been suggested that it does more harm than good, because it could lead to bad practices by the user such as adding a character to the end of their existing password.

    In addition, it is recommended to change passwords yearly….primarily, because for all their good intentions, users will share credentials across accounts.

  • Organizations should ban the use of common bad passwords. This reduces susceptibility to brute force and password spraying attacks.

    A few examples of commonly used passwords include; abdcefg, password, qwerty, iloveyou and 12345678

    (A more complete list of common passwords can be found at https://en.wikipedia.org/wiki/List_of_the_most_common_ passwords).

    When processing requests to create or change a password, the new password should be checked against a list that contains values known to be commonly-used, expected, or compromised.

    For example, the list should include, but is not limited to:

    • Passwords obtained from previous breaches

    • Dictionary words

    • Repetitive or sequential characters (e.g. aaaaaa, 1234abcd)

    • Context-specific words, such as the name of the service, the username, and derivatives thereof

    • Previously used passwords for this account with a change delay

    • If possible, personal identification information for the user (date of birth, surname, etc.)

    This check should happen immediately upon password creation.

    If the user’s password fails the deny list check, the user should be notified that the password cannot be used with a brief explanation of why it cannot be used. The user should then be required to input a new password.

  • There is no benefit to allowing a system or a session to stay active when a user is not actively working.

    Knowing when a user is active can be achieved via user input detection (keyboard input, mouse movement, etc.), which has historically been the primary way of achieving “lock when idle.”

    Logging in after such a lock should follow all the recommendations of a normal login in terms of failed login attempts.

    Also, Session Lock login should be of the same type and the normal account login, so if the normal account login used MFA, then the Session Lock login for this account should use MFA as well, and not a reduced authentication method like password only.

  • To limit password guessing, temporarily lock the account after a predefined number of failed login attempts.

    Ignoring cases where the attacker gets a user password via other means (social engineering, insecure password storage, etc.), since password strength is essentially meaningless in these cases, the goal of creating strong passwords is to prevent an attacker from easily guessing the password and gaining access to a targeted account or system.

    This means the attacker has to try the password on the targeted system, so limiting the number of attempts the attacker has is more important than any other password strength measure.

    A temporary (15 minute) account lockout after 5 consecutive failed login attempts has proven to be an effective solution against online password guessing and brute force attempts.

    Temporary lockout is designed to not put undue burden on users and IT administration when a legitimate user enters in their password incorrectly, but is rather designed to thwart unauthorized attempts.

    For example, forcing a more permanent account lockout (one requiring IT involvement) within a large multi-time zone organization can cause undue burden with little practical advantage.

    A reasonable alternative in some environments is to allow a specific number of temporary lockouts, and if that number is exceeded, then permanently lock the account and require IT involvement to unlock (10 consecutive failed attempts is suggested).

    Another technique that is gaining popularity is throttling, which progressively increases the delay before the next login attempt can occur.

    Throttling techniques can vary but typically look like the following example below:

    • First failure, immediate retry allowed

    • Second consecutive failure, one minute wait

    • Third consecutive failure, two minute wait

    • Fourth consecutive failure, four minute wait

    • Fifth consecutive failure, eight minute wait

    • Permanent account lockout (needs IT involvement)

  • Login monitoring is a must; it is arguably the most important recommendation.

    The goal of strong passwords is to prevent unauthorized users (attackers in particular) from gaining access to systems or accounts.

    Therefore, logging is a key component to investigate attempts at gaining access to a user account, whether this be a regular user or an administrator account. To achieve this, at a minimum, failed login attempts must be monitored and key personnel alerted to the events.

    The following is what is suggested, at a minimum, to ensure failed logon attempts are monitored:

    • Log all failed login attempts

    • Alert key personnel when a temporary or permanent account lockout has been triggered

    • Log and alert key personnel about login attempts from unexpected geographical areas

    • Log and alert key personnel about login attempts at unexpected times

    • Log and alert key personnel about login attempts on “Honeypot Accounts”

In Depth: Password Policy Recommendations

  • Unused accounts need to be automatically turned off.

    It would be ideal if administrators would immediately disable accounts for people who are no longer authorized (left the company, changed departments, etc.).

    Unfortunately, this is not always the case, so it makes sense to have a back-up in case this doesn’t happen.

    Suspending an account after X days of non-use (we suggest 45 days) can act as that back-up plan.

    If a user has not logged into that account within 45 days of the last valid login, the system will automatically disable the account.

    The user can get it re-enabled, but is required to contact IT to reinstate it and justify why the account is still needed.

  • Do not allow password hints.

    Password hints can allow users to self-service when they cannot remember their password, but the risk can outweigh the benefit.

    There is no known reliable way to ensure the hint supplied by the user isn’t too obvious or easily obtained (social engineering: Facebook, Twitter, etc.), and can allow an attacker easy access to the system using this method.

    A better approach is to allow for an easy to remember password (passphrase) when it is created.

  • Strength indicators are helpful since most people want to make a strong password.

    When creating a new password, the system should offer guidance to the user, such as a password-strength indicator, to assist the user in creating a strong password.

    This is particularly useful when used with password deny lists, since it guides the user to creating a stronger password that is likely not on the deny list.

  • There are two main use cases for password display:

    On creation:

    Allowing a user to display their password on creation is better than a confirmation field.

    To assist the user in creating a password, the system should offer an option to display the password, instead of a series of dots or asterisks, until they enter it.

    This allows the user to verify their entry if they are in a location where their on-screen password is unlikely to be seen.

    This works much better than a blind confirmation field for mistyped passwords.

    On Password Use:

    Allowing a user to briefly see what they are typing in a password field reduces entry errors.

    The system should optionally permit the user’s device to display individual entered characters for a short time after they type each character to verify correct entry (then replaced with an asterisk or dot).

    This can be particularly useful on mobile devices where the text fields are small and hard to see.

  • Encouraging the use of an approved password manager lets users create strong passwords that are not reused on multiple systems.

    A password manager is like a book of a user’s passwords, locked by a master key that only that user knows. On the surface that might sound bad. What if someone gets the user’s master password? That’s a reasonable fear; but assuming the user has chosen a strong, unique, and memorable master password they’re not using anywhere else, or better yet MFA, password managers are effective.

    Like anything else in IT security, passwords managers aren’t 100% fail safe, but they are a great alternative for users who need to manage multiple strong passwords for different accounts.

    It reduces reusing the same password for multiple accounts, storing passwords in plain text on their system, or writing them down and storing them in an unsecure location.

    In addition to password managers storing user passwords, they also help users create and save strong, unique passwords. This means whenever users go to a website or application, they can pull up their password manager, copy their password, paste it into the login box.

    Often, password managers come with browser extensions that can fill in a saved user’s password for them in a secure manner.

    If a password manager (preferably one) is used, it is suggested that organizations restrict this to a small approved list of software that provide features the organization needs.

    This will make it easier to maintain the software (upgrades), patches, and track any published vulnerabilities and their mitigations.

  • Allow Paste in password fields when using a password manager.

    It is recommended that systems permit users to use the paste functionality when entering a password, since this facilitates the use of password managers.

    The main fear companies have with allowing paste to enable a Password Manager is that passwords are stored in the clipboard.

    Any software installed on the computer (or any person operating it) has access to the clipboard and can see what has been copied.

    However, most password managers erase the clipboard as soon as they have pasted the password into the website, and some avoid the clipboard altogether by typing in the password with a virtual keyboard.

    These features can be part of the Password Manager selection criteria.

Passwords have been used in computer systems since the earliest days of computing.

Passwords are the easiest form of computer security to implement, and over the years, security experts have tried to make passwords harder to crack.

By enforcing various system specific rules on the creation and use of passwords, having a  proper Password Policy in place is one of the easiest things an organization can do to protect itself from the misuse of valuable company information.

Protection Begins with Awareness

Discover strategies for your organization to proactively combat cyber threats.

Passwords serve as the critical linchpin to virtually all of your online activities, and chances are, you maintain a multitude of passwords that you frequently employ. Opting for robust, impervious-to-hacking passwords and implementing secure management practices may occasionally appear burdensome.

Nevertheless, rest assured, there exist straightforward methods to fortify the security of your passwords to the utmost degree. By doing so, you not only thwart potential hackers from commandeering your accounts but also safeguard your sensitive information, warding off the risk of monetary loss, particularly in the realm of online banking.