People can be incredibly lazy when it comes to certain things, and password management is one of them. A survey conducted by the password-management app developer LastPass revealed that even though 91 percent of people know reusing passwords is a poor practice that should be avoided at all cost, 59 percent still reuse their passwords both at home and, more importantly, at work.
Surprisingly, digitally-savvy millennials are the worst offenders, which is bad news for organizations because millennials are now the largest generation in the workforce.
The solution? Cybersecurity professionals believe that the combination of password policy best practices and employee education should be an integral part of all cybersecurity programs. The problem is that password policies can do more harm than good unless implemented thoughtfully, which is why it’s critical to understand what they’re supposed to accomplish and where their limits are.
What Is a Password Policy?
A password policy is essentially a collection of rules whose purpose is to improve an organization’s cybersecurity posture by motivating users to create strong passwords and use them correctly. A password policy may exist only on a piece of paper, perhaps as part of an organization’s official regulations, or it may be actively enforced by system administrators and taught as part of security awareness training.
While each and every password policy should be customized to meet the unique needs of the organization that wants to implement it, there are certain best practices that most password policies include:
Password reuse is an important concern in any organization, which is why it’s important to track previously used passwords to make it impossible for users to use the same password over and over again. Without setting the number of unique new passwords that must be associated with a user account before an old password can be used again, users could opt to use a password that has been exposed in a breach just because they couldn’t be bothered to come up with a new one.
Some security experts advice to prohibit password reuse entirely, which can be easily done in Windows and other operating systems and applications by enforcing a very high password history. The experts argue that only reason to allow password reuse is that it can be convenient in certain situations to rotate a set of passwords, but convenience should never dictate security policy.
Opinions differ when it comes to the recommended password length, but most experts agree that a password can’t be strong unless it’s at least 8 characters long. To be on the safe side, a minimal password length of 12 characters should be adopted.
One welcome side effect of longer passwords is the fact that they reduce password reuse. “There is a distinct trend of having a higher minimum length required reducing the likelihood of reuse across multiple universities,” according to the key finding a study called “Factors Influencing Password Reuse: A Case Study”.
Passwords containing personal information, such as names, addresses, or phone numbers, should be strictly avoided, and the same holds true for passwords based on dictionary words. Ideally, passwords should contain uppercase letters, lowercase letters, numbers, and characters.
Many cybersecurity organizations believe that long passphrases are preferable to complex passwords, including the National Institute of Science and Technology (NIST), which now recommens using long passphrases instead of seemingly complex passwords because they are easier to remember. “Passphrases leverage things that we know are paired, like the letters in a word. Our brains are so good at recognizing groups of letters that form words that we don’t even process the letters individually,” says Mike Garcia, a former director of NIST’s Trusted Identities Group.
It’s often desirable to force users to change their passwords regularly, especially in larger organizations with high employee turnover. Many organizations set the maximum password age to 90 days for passwords and 180 days for passphrases.
However, forced password expiration can, in some cases, do more harm than good. Organizations should always strive to balance security and usability needs, and they must always be able to justify any required security behavior. Forcing frequent password changes in a small organization with low employee turnover could nudge the employees toward frequent reuse of weaker passwords.
As protection against dictionary attacks, several unsuccessful login attempts should result in an account lockout, and only a system administrator should be authorized to unlock a locked account. With account lockouts, it’s possible to change the account lockout duration and account lockout threshold, which specifies the number of failed attempts at logon a user is allowed before the account is locked out.
Beyond Password Policies
Passwords are the first line of defense against unauthorized access, but it’s seldom enough to simply establish a password policy and expect users to follow it. “Passwords alone are not enough to secure your company,” argues Alvaro Hoyos, CISO at OneLogin. “Companies need to be more forward-thinking when it comes to identity and access management.”
The fact is that 93 percent of organizations already have at least some password guidelines in place, but they often fail to propagate to every single employee because they get stuck at the board or C-level. Proper employee education and awareness can effectively mitigate this by keeping employees informed and engaged.
Employees should be aware of the existence of modern password managers, and they should be encouraged to use them because they greatly reduce the margin for user error. An organization can even decide to standardize a particular password manager and make it an integral part of its password policy.
Multi-factor authentication, an authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism, can be a great alternative to password age policies which are typically disliked by both employees and system administrators.
Excellent multi-factor authentication solutions are readily available these days, and there’s no reason not to take advantage of them and go beyond tried-and-true password policies. The most important thing is to realize that passwords are just one—albeit extremely important—component of a successful cybersecurity program, and there’s a lot more that can be done.
When implemented correctly, a password policy can significantly improve an organization’s cybersecurity posture by motivating users to adhere to password best practices. For any password policy to be effective, it needs to propagate to every single employee and be continuously reinforced through ongoing employee education. However, even the most comprehensive password policy is just one component of a broader cybersecurity program, and there’s a lot that can be done beyond requiring users to use long, hard-to-guess passwords.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond