Verizon’s 2021 DBIR revealed that credentials were the most sought-after type of data in breaches. Credentials were stolen in 60% of breaches — more than medical, bank, or payment information. So, what password policy best practices can we adopt today to secure our accounts?
According to Verizon’s 2021 Data Breach Investigations Report (DBIR), 85% of social engineering attacks were launched to steal credentials. Using unique passwords is how we lock our accounts and devices to protect them from unauthorized users. Passwords are the first line of defense against unauthorized users and have to be impeccable. But having strong password security goes beyond just having strong passwords — it also requires having a useful and practice password policy in place as well.
If you’re looking to implement a password policy in your business, here are our top 12 password policy best practices to put into action away.
What Makes a Good Password Policy?
A password policy is a set of rules for an organization to create, store, use and secure strong passwords to ensure a secure network. If you want to set up a strong password policy, it’s crucial to find the perfect balance between security and convenience for the end user. If the policy is too difficult to follow, your employees might not follow it properly. On the other hand, if it is too lax, security will be compromised. To be effective, the policy has to be like Goldilocks’s porridge: “just right.”
You should think about the nature of your business and the level at which you work when developing your policies. If your website shares free recipes about baked goods, you might not need the same stringent policies as, say, an arms manufacturer. A security professional’s unbiased review of your organization will go a long way in setting up your password policies.
The National Institute of Standards and Technology (NIST) has some great information available in their Authentication and Lifecycle Management Guidelines (SP 600-63B).
Password Policy Best Practices
Now, let’s look at 12 password policy best practices that can strengthen your organization’s account security defenses.
1. When It Comes to Passwords, the Longer the Better
An organization should specify the minimum length of passwords for all users. Shorter passwords are susceptible to brute force attacks, which are attacks involving an attacker trying to repeatedly guess your username-password combination. Longer passwords take more time to crack by brute force attack because they require an attacker to try out a higher number of potential combinations.
The following table shows how long it takes to crack passwords of various lengths, as determined by Hive Systems. It clearly shows the importance of using longer passwords:
|No. of letters used||Whether numbers are used||Mix of uppercase and lowercase letters are used||Whether special characters are used||Time taken to crack the password|
|16||No||Yes||No||173 million years|
|16||Yes||Yes||No||3 billion years|
|16||Yes||Yes||Yes||92 billion years|
While forming your password policy, bear in mind that longer passwords are harder to remember, so employees might be tempted to write them down. This could lead to unauthorized people gaining access. So, try to balance the number of characters required for the passwords with the difficulty of remembering them.
The Federal Bureau of Intelligence (FBI) recommends using strong passphrases in place of passwords to make them easier to remember. For example, a passphrase like Istartedriding@6 is easier to remember than a random jumble of letters, numbers and characters like dg8GY%ire&cSIirn#. You can always switch letters with symbols and numbers to make a passphrase harder to brute force like i$tart3Drid1ng@6.
2. Pay Attention to Password Content
The above table also shows that when you mix special characters and numbers in passwords, it takes much longer for the criminals to crack them. So, using different types of characters is a smart choice.
- Never use personal information in passwords. Don’t use the account holder’s name or their birth date as a password, even with a combination of words and numbers. Using easily accessible information in passwords makes it easier for the bad guys to crack them.
- Be cautious using random number/letter passwords. Random characters are more complex than full words because they make dictionary attacks difficult. Using the password Apple@123 is much less secure than using a password like 29Dihfc$j as it is susceptible to a dictionary attack. But the flip side is that it’s a lot harder to remember, which can lead to being tempted to re-use it across multiple accounts or to write it on a sticky note that’s easily accessible.
3. Implement Strong Password and Account Management Policies & Practices
A password policy should clearly state the duration that the password is valid.
- Don’t set arbitrary password expiration periods. You should change your passwords whenever they are compromised. Mandatory password expiration might demotivate the employees who will be tempted to use weak or predictable passwords. If the expiration period is event based, they would be less likely to forget them as the period is generally longer. NIST recommends that passwords shouldn’t be required to change at set periods — only when they’ve been breached. The idea here is that since passwords should be memorized, making users change them arbitrarily is unnecessary.
- Direct new users to change preset passwords immediately. New users with accounts with preset passwords should be required to immediately change their password for a stronger one. Preset passwords can make the system vulnerable to cyberattacks.
- Delete dormant accounts. Your cyber security policy should include deleting accounts of former employees as soon as they leave the organization. Abandoned or unmonitored accounts are a huge security threat — if an ex-employee has access to your company network because you never deactivated their account, they could use it for malicious purposes.
4. Restrict Password Re-Use Across Multiple Accounts
When large breaches occur, a huge amount of data is leaked, including the usernames and passwords of many account holders. If a person uses the same password for multiple accounts, it’s easier for a criminal to hack into their other accounts too.
Let’s say it loud and clear for everyone reading this: Never re-use passwords. Often, people use one password and alter it to suit different accounts. For instance, if the password for one account is password&1, the password for another account is password&2, and for a third account it is password&3. Cybercriminals are well aware of account holders’ little tricks to remember passwords. This makes it possible to brute force all the passwords if one of them is breached.
It is highly risky to use the same password (or a slightly different password) to, say, read an online magazine and also operate your workstation. So, it is advisable to direct your employees to use entirely unique passwords for all their accounts.
5. Maintain a Password Blocklist
A password blocklist, or blacklist, is a list of weak passwords and their variants that are not allowed to be used as a password in the organization. The list could include:
- The most common passwords
- The name of the organization
- Anything related to the organization
- Passwords that have been published or sold online
After a study of Fortune 500 companies, NordPass found that 20% of passwords contained the company name or a variation. For example, if the name of the organization is Atlas Steels, using Atlas or Steel in the password would make it vulnerable. If you work for Facebook and use a password that includes Zuckerberg, guessing your password won’t require an attacker to be a rocket science! A blocklist helps to avoid this issue. The blocklist should be updated regularly to make it more effective.
6. Prohibit Password Sharing
Passwords are part of your unique credentials and are meant to be kept secret. The more people know them, the less secure they are. Even if you have great password hygiene, that doesn’t mean that the person you share your login credentials with operates the same way. This leaves your account — and everything you have access to — at risk.
This is why it’s crucial to communicate the following to your employees and make it part of your official password policy:
- Never share passwords. Period. As an extension to that rule, passwords should never be messaged, emailed, or sent over written communication.
- Use a secure communication channel if you do have to share it. We get it, life happens and, sometimes, you may find yourself using a shared login for access to specific services. If you do wind up having to share a password for something, be sure to do it through a secure channel such as an encrypted email. And it’s best to immediately change the password to something unique and new right away once you no longer need to share the secret.
7. Strengthen Passwords for Privileged Users
Privileged users, such as admins, have more access privileges than other network users. They might have access to information about other users or customers, including sensitive data. So, because privileged users have so much access, their passwords need to be extra strong.
- Privileged users should protect their accounts. Privileged users should adopt stringent security measures to secure their accounts as they are also protecting other people’s data.
- Use more stringent policies for privileged account holders. A privileged account holder is in possession of more sensitive data. In case of breach, if the data of a CEO or IT admin is lost, the company might have to suffer more damages than a breach involving a regular user. Therefore, an organization should have different policies for both types of users.
- Communicate the additional security policies to privileged users. If you fail to communicate the additional security requirements to the privileged user, they might not be aware of the risks the organization faces.
8. Keep Passwords Secure
So, now your employees have beefed-up passwords, and you’ve directed them to use different passwords for different accounts. Problem solved, right? Wrong. A recent study by NordPass reported that:
- 70% of people surveyed had more than 10 password-protected accounts.
- 20% had more than 50 password-protected accounts.
- 30% of the people found it stressful to manage the passwords.
As a result of the stress of handling too many passwords, employees might be tempted to:
- Write their passwords down on post-it notes and stick them to their devices.
- Make a spreadsheet of their passwords.
- Use a physical notepad to store their passwords.
- Re-use their passwords across multiple accounts.
All these practices should be banned by the management in an organization. When forming policies, management should inform employees about the dangers of doing so. So, how do you remember all the passwords? Well, that’s where password managers come into the picture.
9. Use a Password Manager
Password managers are specially designed programs that keep all your passwords secure in one place. A password manager can also generate and store strong passwords for all your accounts without you racking your brains to remember them. To access your accounts, you just need to remember the password for the password manager.
A password manager can also store:
- Information about your devices, including their serial numbers, warranty, and insurance details
- Important document information, including your passport number or your social security number
Encourage your employees to use a legitimate, trusted password manager to securely generate, store, and use their passwords.
10. Be Aware of Legal Obligations
Many regulations govern the organizations that collect and store their users’ data. Some of these regulations include:
- Health Insurance Portability and Accountability Act (HIPPA) — Covers the U.S. healthcare sector
- General Data Protection Regulation (GDPR) — Covers data privacy of European Union residents.
- California Consumer Privacy Act (CCPA) — Covers the data privacy of California residents.
- Payment Card Industry Data Security Standard (PCI/DSS) — The standard for all organizations that accept online payment
Failure to follow these regulations where applicable can result in serious consequences.
11. Use Multi-Factor Authentication or Passwordless Authentication
Having a well-rounded password policy that everyone follows in the organization will create a more secure network and strengthen your organization’s overall defenses. However, Verizon’s DBIR reported that 17% of breaches are the result of human error. So, you should consider that while creating a password policy. Multi-factor authentication is one way to reduce the possibility of such errors.
Even if an employee stores their passwords in a password manager, you should also encourage them to use multi-factor authentication (MFA). If the bad guys get hold of the password for their password manager account, they’ll gain access to all the secrets stored in there. But using MFA as an extra layer of security can limit that possibility — you’ll be sure that only the authorized user is able to access the manager.
Another option is to get rid of passwords altogether by using a passwordless authentication method. This entails using a public key infrastructure (PKI) unique digital certificate that identifies and authenticates you as the legitimate users.
12. Communicate Your Password Policy (and Enforce It)
If you have a first-class password policy that your employees don’t know about, the policy is a waste of time.
- Communicate the policy to all users and enforce its usage. This includes all of your employees and other network users; train them on how to follow it and enforce the policy when necessary.
- Ensure your policy is comprehensive and meets your needs. Provide clear directions regarding the policy requirements and the repercussions of failure to follow it in the policy document
- Review and update your policies. Review the effectiveness of your password policy regularly and make changes whenever necessary, communicating changes to employees
Final Thoughts on the 12 Password Policy Best Practices
Every organization needs a strong framework for cybersecurity. A company should have staff dedicated to protect your organization against cyber threats. If you have strong security policies but don’t bother enforcing them, then you risk your employees opting not to follow the rules. (Why should they bother if they don’t get so much as a slap on the wrist?)
The cybersecurity staff can inspect the online behavior of all the employees. Revisiting the effectiveness of the policies will help you have clearer view on its drawbacks. The management can redraw the policy as and when they seem fit. Every business has different requirements depending on its size, nature, and cyber threat scenario. Therefore, instead of blindly following a cookie-cutter set of rules made by third parties, the management should make their personalized policy.
An effective password policy is clear, concise, and communicated to every person who has access to the company network. Failing to implement the password policy will have serious consequences for the organization. Therefore, utmost care should be taken to implement it.