Your Password Policy Should Challenge Hackers, Not Your Users

Any time a human is involved, the potential for weakened security increases.  Password policies are necessary for cybersecurity compliance; however, burdensome password policies can result in bad user behavior like password transformation.

SUBSCRIBE TO SAYERS BLOG

REMEMBER WHEN – IBM published the startling statistic that human error was found to be involved in 95% of all security incidents in “2014 Cyber Security Intelligence Index”? 

A transformation happens when a user increments a number, changes a letter to similar-looking symbol, adds or deletes a special character or switches the order of characters.

Organizations can better secure their data, systems and environment by following these simple recommendations below.

THE DO’S: 

SIZE MATTERS 

• The new NIST guidelines say you need a minimum of 8 characters. Better yet, NIST says you should allow a maximum length of at least 64.

USE OF A BAN DICTIONARY

• Check new passwords against a dictionary of known-bad choices. Well known and simple passwords are susceptible to brute force and dictionary attacks. You don’t want to let people use Password, Pa$$word, admin, 123456, and so on. More research needs to be done into the best size of the banned password dictionary.

ALLOW PASTING 

• This allows the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger passwords.

USER ABILITY TO RESET PASSWORD

• Provide a mechanism so that users can recover their own password, unless you want to be tied to your email client or phone all day.

THE DONT’S:

NO COMPOSITION RULES

• Do not force the use of particular characters or combinations (e.g. “Your password must contain one number, one lowercase letter, one uppercase letter, and four symbols but not ‘&%#@_’). Password complexity shouldn’t be forced nor should it be invalidated.

NO PASSWORD HINTS

• Just say no. It’s not a good idea. Ask Adobe.

NO KNOWLEDGE-BASED AUTHENTICATION (KBA):

• KBA is when a site says “Pick from a list of questions: Favorite vacation destination? Where did you attend high school? Your dog’s name?”. Data exfiltration and the proliferation of social media has weakened this option.
  

NO MORE EXPIRATION WITHOUT REASON:

• If you want users to choose longer, more random and potentially complex passwords, we shouldn’t make them change those passwords unnecessarily. Reserve this for suspected compromise or real incidents. Both NIST and Microsoft have come out against periodic expiration.

Sayers suggests leveraging a policy that follows most if not all of these recommendations. Two Factor Authentication is strongly encouraged because it increases the requirements to accomplish a successful attack. Let us help you in the creation of and/or modification of a password policy that is flexible, provides additional protection and fosters acceptance from your user community. 

Additional Resources: 

• Time to rethink mandatory password changes, FTC. 3/2/2016
• Digital Identity Guidelines, NIST. 6/22/2017
• Microsoft Password Guidance, Microsoft. 6/2/2016