Passwords are more than just the most effective way to keep coworkers with cooties out of your secret fort in the breakroom. They’re also the foundation of the authentication process, confirming a user’s identity and preventing unwanted access to critical data. Crafting a strong password security policy can help ensure credentials are secure and don’t fall into the wrong hands.
According to Verizon’s 2023 Data Breach Investigations Report, 86% of web application data breaches involved stolen credentials. Once threat actors are in your environment, they can steal data, launch a ransomware attack, or just listen to your Spotify playlist of Kenny G’s greatest hits. Implementing an effective policy to promote password hygiene best practices can help protect your environment and make a cybercriminal’s job much more difficult. We’ll break down what you should know to fortify your business’s password rules.
What is good password hygiene?
Remember: Passwords act as the first line of defense, controlling access to your systems and the valuable information they hold. Maintaining strong defenses is imperative to enhancing your security posture.
What should you include in a password policy?
A password security policy should establish clear best practices requiring strong password creation. It should include several applicable standards.
Reusing an old password may seem convenient. However, it presents a security risk. One compromised password gives threat actors continued access to your systems. For that reason, many companies enforce password history guidelines. Generally, this means not allowing an employee to reuse a previous password (or their last two passwords). However, Microsoft suggests disallowing the last 24 passwords.
Maximum password age is a controversial topic.
Some feel that using the same password over an extended period increases the risk of compromise, so you should set a password expiration. If a threat actor already has your password, they may continually access information without you even realizing it. Even if your password is still secure, continuing to use it for months or years on end gives hackers ample time to test different combinations until they figure it out. To prevent this, many password policies include a maximum password age. Microsoft suggests a limit of 30 to 90 days, depending on the level of security you feel is appropriate for your organization.
On the other hand, the National Institute of Standards and Technology (NIST) no longer recommends requiring regular password changes since users often select similar alternatives that are just as easy to crack.
Minimum password age requirements are less common but may be more important. These guidelines dictate how long a password must be in use before a user can change it. Essentially, it helps prevent an employee from changing their new password in rapid succession to bypass password history requirements and return to their original password. Microsoft recommends a minimum age of one day.
Company policies often require the minimum password length to be at least eight characters long. However, longer passwords are better. Because of this, many companies encourage passphrases. These strings of words are much longer than traditional passwords, making them difficult to crack. However, they’re also typically easier for users to remember since they use actual words.
The more complex the password, the harder it is to guess. For instance, if a password contains just numbers, a brute force attack can hack it instantly, even if it’s 10 characters long. In comparison, a 10-character-long password with uppercase letters, lowercase letters, numbers, and symbols takes an estimated 5 years to crack.
Therefore, complexity guidelines typically require that each secure password include the following:
An uppercase letter
A lowercase letter
That said, NIST no longer recommends complexity guidelines since users often rely on common password patterns or reuse passwords across platforms.
Account lockout policies specify how many failed login attempts a user can make before their account automatically locks. Microsoft suggests 10 as a starting point, though you might lower this based on your risk tolerance. Your policy should also establish how long the lockout continues. Microsoft recommends around 15 minutes.
What are the strongest password policy rules?
Developing the strongest password policy for your business requires balancing your cybersecurity objectives with the practical needs of your employees. There is no one-size-fits-all password policy that’s ideal for all businesses, and there are innumerable rules that may benefit some organizations. The NIST provides helpful guidelines to steer your policies. Here are a few key rules to consider:
Use strong passwords that are at least eight characters long: The longer, the better! Each additional character dramatically decreases the risk that a brute force attack could crack your password. Therefore, we recommend you require a minimum number of characters.
Encourage a passphrase: Passphrases balance convenience and security. The added password length makes them harder to hack, but using familiar words makes them easier to remember.
Do not enable hints: Hints may seem like a helpful way to allow users to retrieve lost passwords. However, with personal information widely available through social media and social engineering, allowing hints may actually give threat actors inroads into your systems.
Use multifactor authentication: In almost all instances, multifactor authentication is beneficial as an additional layer of protection.
How can you protect your company's passwords?
Maintain and update your password policy
Providing a documented password policy gives employees a resource to refer to whenever it’s time to change their passwords. However, don’t expect the document to be static. The security landscape is constantly evolving, so be prepared to update your custom policy as necessary.
Provide password training
Getting a password policy on the books is undoubtedly valuable. But providing your employees with relevant security awareness training further enhances the benefits. Not only can it reinforce the guidelines, but it can also clarify why a strong password is so important. Informed employees may be more likely to comply with your password requirements and IT policies.
Require a password change after a potential compromise
If you have any reason to believe your systems or accounts may have been compromised, require password changes for all affected employees. Otherwise, threat actors may have continued user account access.
Invest in password manager software
Password management software enables your team to use longer, stronger passwords without needing to remember multiple passwords. Additionally, a password manager can generate a unique password, preventing employees from leaning on familiar patterns or password reuse. A different password for each platform is inherently more secure.
If you work with a managed IT services provider (MSP), they may provide access to password management software.
Consider password policy enforcement software
Even the strongest password policy is worthless without enforcement. Without the right solution, getting employees to comply is like herding cats. Thankfully, effective password policy enforcement software lets you configure and automatically enforce policies without the need to glare threateningly at each employee.
High-quality password managers make it easier for users to follow password policy best practices. However, always investigate the provider's security features. While there are many reputable password managers on the market that we'd trust with all our secrets, a data breach on a password manager's end could lead to countless compromised credentials.
Implement multifactor authentication
Multifactor authentication adds an extra layer of security. Rather than granting access with just a username and password, users must also use an additional verification method, such as a fingerprint scan or a one-time password (OTP) from an email, text, or app. This makes the password just one component of authentication instead of the primary determiner.
Set a lockout after failed attempts
Attackers may try to guess your passwords through trial and error, credential stuffing, or brute force attacks. Incorporating a lockout period after a set number of failed attempts can help thwart these efforts.
Let users see what they’re typing
A user may select a short, weak password for one simple reason: It's easier to type. When you can’t see what you’re typing, it’s that much harder to use a long, complex password. In many cases, users need to try several times before getting it right. Letting them see what they’re typing can remove that hurdle, save them time, and decrease their desire to select weak passwords.
Using a single sign-on service, such as Azure Active Directory (Azure AD), allows users to sign on to multiple accounts on different software systems using a single set of credentials. For most users, it's much easier to remember one complex password than countless easy passwords, so implementing SSO is a win-win for your users and your password security posture.
While a strong password policy and good cyber hygiene are crucial, there’s much more involved in cultivating a secure environment. You also need to maintain accurate information on your machines and implement updates and patches.