Password Policy Best Practices 2019

What is a password policy?

“A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.”
https://en.wikipedia.org/wiki/Password_policy

What is a strong password?

Generally, the more characters your password has, the stronger it is. A strong password should have a minimum of 8 characters and should include a mixture of upper and lowercase letters, numbers and symbols.

Weak Password Examples

Keeper conducted a research study into the most commonly used passwords. The results were shocking as most the passwords used were extremely unsecure. Keeper Password Case Study.

Have a look at the top 25 most commonly used passwords:

123456,
123456789,
qwerty,
12345678,
111111,
1234567890,
1234567,
password,
123123,
987654321,
qwertyuiop,
mynoob,
123321,
666666,
18atcskd2w,
7777777,
1q2w3e4r,
654321,
555555,
3rjs1la7qe,
google,
1q2w3e4r5t,
123qwe,
zxcvbnm,
and 1q2w3e.

How to create a strong password and remember it

A great example of a strong memorable password is four random words (correct-horse-battery-staple). This is extremely difficult for a computer to guess but very easy for a human to remember. Check out this comic example: https://xkcd.com/936/.

With the use of password management tools we can create even stronger password. These passwords can now be super long and use all the special characters. For example:
i9pT$yq8k0Z%%CTw0Bi5!ncPlXV%8NN$

What is a password policy?

The password policy is a document for your business or application that outlines a set of rules and conditions regarding user name and password length and complexity, topologies, password recovery and so on. The goal is to enhance cyber security by promoting proper use of strong passwords for both users and administrators.

OWASP is an unbais organisation that consults on security. Look at their password policy: https://www.owasp.org/index.php/Authentication_Cheat_Sheet.

Best practices for enforcing password policies

Let’s look at some of the best practice password policies that should be enforced by any system administrator:

• Enforce Password History/Variety. You will need to remember passwords that users have already set up so as they are not reused in the future. This prevents old, and potentially compromised, passwords being used again. Managing this number of passwords can be difficult unless you have the correct tools in place. We will take a look at these tools later.
  Remember, if a hacker gains even one of your usernames and passwords, they will be likely to try this across all additional popular platforms. Therefore, a different password for each system will remove a single point of failure.
• Maximum Password Age. Some organisations think that every time a user changes a password they make it less secure. This said, the majority still think it is better to change a password after a certain length of time. If users are well trained in creating strong memorable passwords, this will not be an issue.
• Minimum Password length. Essential in creating a strong password. We mentioned before eight is a great minimum. If you want a very strong password we suggest a minimum length of 14 characters. The general rule of thumb is, longer passwords are harder to crack than shorter ones.
• Passwords Must Meet Complexity Requirements policy. This is where we can stop users using their usernames as part of the password and doing other things that might reduce the complexity or allow it to be easily guessed. Another example is using more than 2 characters in row. 111222333 is not a strong password.
• Authentication. So, you have a strong unique password for each platform you use. We can now go one step further and give anyone who manages to acquire one of our passwords a further hurdle. Use of 2 factor authentication allows users to protect themselves with a further piece of information other than their password.

Being successful with your password policy

The 2 most important elements to being successful with your password policy are training and password management tools.

Training for success

Security is at the heart of the Zenos ethos. We believe that a strong security culture is the perfect way to make your password policy a great success. Make security part of your culture. https://www.cpni.gov.uk/developing-security-culture

Keep people in the know. It is important to keep your team up to date. Your password policy will fail unless all new employees are fully trained and all existing employees are given an annual refresher.

Tools for protecting passwords

According to the National Cyber Security Centre, password managers are an essential tool for keeping your passwords properly protected. https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers.

At Zenos we use password managers for both our own team, and for our clients. To find out how password managers can help to improve your organisation’s security and the efficiency of your password policy, get in touch.