What makes a good password (policy)? Tip: It's not what you think
Do you know what makes a good password? Is your policy aligned to best practice and guidance? Think again. Does your password policy still require a complex mix of upper case, lower case, numbers and special characters? Are some special characters disallowed but not all? The picture above may seem unrealistic, but every security manager doing a floorwalk has seen it - and your password policy may be the cause.
You might think that complexity and regular changing of passwords makes your systems more secure, but in actual fact, it makes them easier to crack. Don't believe me? Watch this video of Michael McIntyre explaining why you 'should probably change your password'. Very funny, but also, oh so true!
When you make users add complexity to their passwords, they don't have the capacity to create many complex (strong) passwords, so get in the habit of reusing and modifying existing passwords.
Four years ago, NIST (the National Institute of Standards and Technology) issued NIST Special Publication 800-63B to provide a clearer understanding of risks related to end users and passwords. This guidance was ground breaking - stop putting the onus on your users to come up with ever more complex and 'hard to break' passwords and use technology to reduce the risk. However, this guidance has faced significant resistance from security and IT experts - we've spent so long saying that passwords need to be long and complicated that the 'new' guidance is hard to accept. Users also find it hard to believe that they should not be enduring the misery of remembering multiple unique complex passwords.
The research NIST (and others) had undertaken demonstrated that all of the efforts the security profession had taken to make passwords more secure, in fact had the opposite effect. Although the guidance is long and detailed, there are three key takeaways that every organisation should adopt in its password policy:
Use technical controls, rather than human controls to reduce the risk factor - account throttling and account lockout are easy to implement on most modern IAM tools
Remove expiry and complexity. Automatic expiry and complexity requirements encourage users to reuse, write down and modify existing passwords - automatically increasing the risk of a breach
Implement a password blacklist - many tools have password blacklists included and the ability to deny the use of specific attributes in a password (for example repeated characters, known weak passwords or passwords related to the username, organisation name or product
In the UK, the National Cyber Security Centre (NCSC) has also published regular updated guidance on passwords and password policy, with focus on human, as well as technical elements. In addition to pragmatic technical tips, NCSC provides three tips to support users:
Help users manage multiple passwords - provide a password vault for secure storage and remove the need to update a password after a set period of time
Help users create strong passwords - try the 'three short words' policy where passwords are three random words in a string, use a password generator that can then be stored in the password vault (or remind them that devices will often offer to do this for them)
Provide training and education to users - ensure users understand your password policy and the risks each system faces, tell them of regularly used, weak passwords to avoid and train them how to use the password vault
And if you're reading this as a user, and would like some tips and guidance, have a look here at the NCSC Cyber Aware site. And if you don't have time, my top three tips:
Use a strong and unique password for your email and bank account - if an attacker gets into your email they can reset your passwords for other accounts and access personal information. Similarly, accessing your bank account would enable fraudulent loans in your name as well as the ability to extract your money. Having strong (and different) passwords for your email and online banking will make it harder for your account to be taken over
Use a password vault (manager) - this could be built into your device (Google, Microsoft and Apple - and others) all offer to save your passwords - say yes! If you are uncomfortable having this from a manufacturer, there are many password vaults available that you can buy or subscribe to. These stores all of your passwords securely, are often accessed using biometrics and mean that you only need to remember one password to access all of your systems rather than every one
Remember 'three random words' - using three random words to create your passwords makes them much harder to crack. How would you guess 'Mintyyellowsky' for example. Just be wary of using words that relate to you or your family (such as 'Helenlovessushi') these sorts of passwords can be easier to guess through a trawl of your social media activity
Found this blog useful? Why not contact RTG Commercial Services for a free one-hour consultation to see how we can help you achieve your business goals securely?