Password Policy Best Practices
Businesses must follow best practices when it comes to password policies to adequately protect private, sensitive, and personal communication and data. Passwords are used by system end-users as the first line of defence to prevent unauthorised users from gaining access to protected systems and information. Therefore, proper password policies and procedures must be created to mitigate the security difficulties caused by bad password practices and insecure passwords.
Password policies are a set of guidelines that are designed to improve computer security in the face of increasing cybersecurity concerns. To ensure effective utilization of the system, the policies encourage system users to develop secure, dependable passwords and maintain them securely. Developing robust password policies, maintaining them, and making necessary updates are all responsibilities shared by every firm.
Important Considerations When Creating a Strong Password
According to a recent Verizon Data Breach Investigation Report, hackers take advantage of any chance that arises as a result of inadequate password policy best practices. As revealed by the survey, one of the most common reasons for cyber-attacks and data breaches is the usage of complex password restrictions that do more harm than good. Furthermore, stolen credentials (such as usernames and passwords) and phishing attempts were identified as the most effective tactics for penetrating a secured system by the researchers.
A 2019 State of Password and Authentication Security Behaviors Report uncovered some fascinating information about employee password protection as if inadequate password policies weren’t bad enough. It was discovered that 51 per cent of those who took part in the survey used the same password to protect both personal and commercial accounts. While this was going on, 68 per cent of those who took part in the survey admitted to exchanging important passwords with their colleagues. A further concerning tendency is that 57 per cent of those who have been subjected to a phishing assault have admitted that they have not adopted more secure password procedures. These are disturbing numbers that highlight why organizations across all industries must adhere to comprehensive password policy best practices to remain competitive.
Standards for Password Policy Currently in Effect
Passwords are designed to be used to overcome authentication hurdles, but they have instead become a source of major concerns. The vast majority of users continue to use weak, easily guessable passwords and repeat them across several accounts. Password policies, on the other hand, adapt in response to emerging security requirements. As a result, professionals and regulatory agencies have placed a great deal of attention on the best password practices that should be followed.
The National Institute of Standards and Technology (NIST) is a federally funded research and development organisation (NIST)
The National Institute of Standards and Technology (NIST) produces and updates information security rules and standards for all government agencies, but they are also available to firms in the private sector. The National Institute of Standards and Technology (NIST) covers password policy concerns in Special Publication (SP) 800-623B (Digital Identity Guidelines – Authentication and Lifecycle Management). The publication presents a novel strategy for increasing the security of passwords. For example, it encourages system users to establish a password that is easy to remember yet difficult to guess, a practice known as memorized secrets. Other difficult password requirements that have been advocated in the past are likewise discouraged by the publication. A minimum of eight alphanumeric characters are required in the recommended passwords, whereas a minimum of six characters are required in the system-generated passwords.
Users should also check their passwords against a supplied list of passwords that have been declared universal, hacked, or expected by the National Institute of Standards and Technology before safeguarding their systems, according to the NIST document. Dictionary words, passwords identified from previous breaches, sequential or repetitive passwords (e.g., 1234qwerty), and context-specific terms are all examples of passwords that are prohibited when they are checked. The following are additional NIST password policy best practices:
- Enable the paste functionality on the password entering field to make the use of password managers more convenient.
- Instead of storing passwords, a salted hash should be used instead.
- Systems should be configured to allow users to see their passwords as they type them in, rather than the more secure dots or asterisks.
- Enabling two-factor authentication is a good idea.
- To request memorised secrets, authenticated protected channels and allowed encryption must be used in conjunction.
- suggestions from the Department of Homeland Security (DHS)
- The Department of Homeland Security has developed a card that may be used to generate strong passwords to assist users in securing their systems and information from cyber-attacks. The card contains simple instructions, some of which are identical to the National Institute of Standards and Technology (NIST) password requirements, to assist lessen the likelihood of a security problem.
The following are some suggestions:
- Passwords with more than eight characters should be used.
- Make a passphrase that has a combination of large and tiny alphabets, as well as
- punctuation marks, to protect your account.
- When creating passwords, stay away from utilising common words and personal information.
- Make sure to use different passwords for each account.
- Password Policy Recommendations from Microsoft
- For both end-user password rules and administrator password policies, Microsoft has drawn on information gathered over several years to produce recommendations. The data comes from tracking threats such as phishing assaults, botnets, trojans, and worms, among other things. Microsoft also emphasizes the importance of continuous employee training to guarantee that all system end-users are aware of the most recent security issues and can implement password policy changes efficiently and effectively. Following best practises in access and identity management,
the Microsoft password policy model proposes passwords that are based on the following criteria:
- Consistently using passwords that include exactly eight characters
- Users are not required to add special characters such as *&(% per cent $ in their messages.
- In user accounts, password resets should not be enabled regularly.
- Inform system users of the dangers of reusing the same passwords on multiple accounts.
- Multi-factor authentication should be enforced.
- The following are recommendations for best practices in password policy:
System administrators in all organisations should take into consideration the following recommendations when developing a strong password policy:
- Require multi-factor authentication as a matter of course.
- Multi-factor authentication (MFA) helps to protect data and information systems by forcing users to submit extra methods of validating their identity and authenticity in addition to their password. Users are required to input the correct combination of login and password, as well as to supply additional forms of identification, to use this highly effective technique. They can consist of an SMS code given to a mobile device or the confirmation of a biometric that has been registered as an additional authentication method. Users who do not have the necessary access privileges are prevented from accessing protected information and IT infrastructure by using multi-factor authentication (MFA). Additionally, multi-factor authentication (MFA) protects locked assets from being accessed using stolen credentials.
Implement a Policy Regarding the Age of Passwords.
It is a policy that specifies the bare minimum amount of time that a password can be used before it must be changed. This policy is used to define the minimum amount of time that users must change their passwords. Having a minimum password policy is critical because it stops system users from reverting to their old passwords once they have created new ones. Before urging users to generate new passwords, the minimum age password policy should specify a period of three to seven days. The policy provides adequate time for users to change their old passwords and ensures that they are unable to revert to passwords they have previously used. The fact that passwords are susceptible to compromise should be taken into consideration by system administrators, though. A password policy with a minimum age requirement can prevent users from changing compromised passwords, and administrators should be available to make the necessary modifications.
Passphrases should be used.
When opposed to single-worded passwords, passphrases offer a higher level of protection. Consider the following sentence: “Every Sunday, I look forward to going to the Zoo.” When the sentence is used to generate a passphrase, such as ILSTATZES, it leads to the production of extremely strong passwords that are difficult to guess. The use of the complete sentence to generate a passphrase using a combination of capital and small characters, on the other hand, minimises the likelihood of it being cracked. Although a passphrase is simple to memorise, it gives significantly greater security.
Enforce a Policy Regarding Password History
When asked to generate new passwords, the vast majority of users opt to re-use passwords that they have already created in the past. However, even though it is common practice, enterprises should adopt a password history policy that regulates how frequently a user can reuse an old password. For a system to remember a minimum of 10 previously used passwords, it is necessary to implement a relevant password history policy. By preventing the reuse of passwords, such a strategy prevents users from alternating between popular passwords and keeps them safe. Hackers can employ techniques such as brute-force attacks to get access to systems that are protected by commonly used passwords. The implementation of a minimum password age policy is a preventative control, although some users may find a way to work around the restriction.
Create separate passwords for each account you want to protect.
Many users are tempted to use a single password for many accounts to avoid forgetting which password is for which account, and this is a common occurrence. A malicious individual can use one account to gain access to all of the other accounts, making this a potentially risky activity. The use of a single password for each account strengthens the security layer that protects the accounts that are protected. It is also critical not to re-use passwords that have previously been used to secure various systems. Hackers’ capacity to compromise information and information systems is made easier by the reuse of passwords and the usage of a single password for several accounts.
Passwords that are no longer in use should be reset immediately.
Because of their insider knowledge, disgruntled employees can become the most dangerous adversary for a company. As a result, system administrators must reset the passwords of accounts belonging to personnel who are no longer employed by the organisation. Retaliation, financial gain, and continuous access to critical information are all incentives that can motivate ex-employees to re-use their previous passwords and get access to sensitive information. Companies should empower their information technology and human resources teams to take action as soon as an employee exits the building. They should keep a record of the actions they conduct following the respective password policies.
Always log out of your account.
Employees should be required to log out of their laptops when they leave their workstations, as mandated by their employers. Insider threats and hackers can gain access to confidential information if employees do not sign out of all accounts that are not in use at any given time. System administrators should configure computers to lock or sign out after a specified amount of time when they are not in use to verify that everyone follows the policy. Moreover, the user should remove any permissions that have been provided to third-party programmes that have been merged with the main account. Hackers can use applications with inferior security to acquire access to the main account’s credentials.
Observe a “Clean Desk Policy”
A clean desk is one of the most effective password policy best practices, and it can be implemented quickly. A clean desk policy requires users to ensure that their desks and workstations are free of tangible objects that may contain sensitive information, such as passwords, before entering the building. Some users prefer to write down their passwords on a piece of paper so that they don’t forget them. They may, however, wind up leaving the same passwords for everyone and everything, granting fast access to anyone who knows them. Users must ensure that their desks are tidy before departing to avoid this.
Emails and mobile phones that are encrypted
Password resets for associated accounts can be accomplished by malicious actors using mobile phones and email accounts. In most cases, a “lost password” tool is available, which allows users to receive a unique link or code on their designated device or email account, which they can use to generate a brand new password. Anyone who has access to the devices or email accounts can change passwords at any time while still maintaining access privileges. Devices can be protected in several ways, including by employing strong passphrases and biometric security, such as fingerprint identification.
Make use of a password manager.
Professionals and businesses are increasingly prioritising the use of password manager software. Using password manager solutions, such as Zoho Vault and Lastpass, to organise passwords and practise high password security levels is a convenient way to protect your data. When using a password manager, users only need to remember a master password to gain access to the other passwords that have been stored in the manager. Password managers are also advantageous since they provide ideas for strong passwords to safeguard separate accounts and allow a user to sign in without having to type anything in. It is highly advised that, whenever possible, you use a password manager to create and automatically save your passwords.
Practices to Avoid When it comes to password security and management, best practises for password policy prohibit the use of the following methods:
- Using Dictionary Terms: When creating a password, users must avoid using words that can be found in a dictionary. Dictionary attacks are capable of exploiting passwords that contain dictionary words, regardless of whether the password is a single word or a mixture of words in the dictionary.
- Using Personal Names as Passwords: Using passwords that are a reflection of a person’s or a place’s name is a weak and insecure practice. By utilising social media, hackers can scan a target’s social media profile for key personal information such as family members’ names and often visited locations, which they can then use to crack a password. Aside from that, minor variations in personal information do not affect password security because cyber attackers can carefully attempt all letter and word combinations to obtain the proper password without notice.
- Industry experts cannot emphasise enough the dangers of reusing old passwords in the same account or across numerous accounts at the same time. Users must generate entirely new passwords, as reusing passwords raises the risk of hostile actors and insider threats cracking them and gaining access to sensitive information.
- Using String-Based Letters: Users may be confident that any letter strings on a keyboard, such as qwertyuiop or mnbvcxz, will be found in a password dictionary before entering them. String-based letters are straightforward to decipher.
Password Revealing: Users should refrain from sharing their passwords with their coworkers or other individuals. Not only can passwords be misused, but they can also be intercepted by cybercriminals if they are transmitted through unsecured channels with others.