Best Practices for Password Policies

Passwords used to be a secure form of authentication; now, they’re vulnerable. However, they are still the most common method of authentication, and so, IT teams and organizations are determining ways to keep password usage while also strengthening it. This is the case for password policies. When we talk to previous customers, we find out that: 

  1. Users tend to make simple passwords (e.g. password123) since it is easy to remember, but these tend to be high risk as 80% of all data breaches involve stolen passwords. 
  1. Users create stronger passwords with special standards, like characters and numbers but tend to forget them, requiring IT Help Desk Support and slowing down workflows. 
  1. A user could be coming back from vacation and forget their password. 

It’s not too much of a stretch to say that almost all IT professionals understand the foundations of good password management and compliance. Elements like password length, complexity, and strength are all common components of compliance and the backbone of a good password policy. While we know passwords are an important security factor, organizations need to look at these best practices to improve their password policies. 

What are Password Policies 

As slightly aforementioned, password policies lay out the foundation for users within an organization to set their password. In other words, this means determining the length of a password, how complex it must be (meaning adding special characters, capitalizing letters, or numbers), and how often they expire. Password policies are set in place to mitigate the risk coming from threat actors stealing user credentials, and so the goal with password policies is to strengthen the organization’s outer layer. 

With the COVID-19 pandemic, users are most likely working a part of their work week at home, meaning threat actors have weaponize a user’s home to compromise the organization’s backbone. This means users need stronger passwords, but unfortunately, users are not willing to make their own password complex, adding random characters and such. Therefore, password policies are important, to set a guideline for users to maintain higher security standards. 

What are good password policies 

Not all password policies are equally as effective. Some may be a hindrance to your users while others may make a good impact. Here are some common password policies that you may consider. 

Password Expiration Policy 

Password expiration policy is self-explanatory. How long will your current password last? Password expiration is important to mitigate risks as threat actors will no longer be able to use older passwords to crack into your account. As what we have seen from the JBIS and Colonial Pipeline data breaches, old passwords that have not been changed or expired can shut down a large company. Imagine a threat actor found an old password of yours but was surprised to find out that it no longer works; most likely because you changed your password due to it being expired. 

However, IT admins should be careful on implementing overly aggressive password expiration policies. These can lead to increased help desk calls as more end-users will call to manually reset their password. Additionally, having an aggressive password expiration policy can eventually weaken the strength of a user’s passwords as a result of password fatigue. When users have to constantly reset their passwords, they often choose passwords that are easy to change like password3 to password4, making it easier for hackers to compromise once they notice the pattern. 

There is a fine line between compliance and over compliance that can lead to a poor user experience and an increase in help desk costs. 

Length of Passwords vs Complexity of Passwords 

Which is stronger, a more complicated password with special characters and numbers or a long password around 15-16 characters? While many users should adopt both, NIST (National Institute of Standards and Technology) and other groups are leaning toward length over complexity. 

See, users are predictable. When limited to standard complexity requirements, users will often follow simple patterns that make attacking and cracking their login much easier.  However, with additional resources in place, such as enforcing a minimum number of different characters, and requiring password changes less frequently, complexity can be enough for most environments.  After all, ensuring passwords follow a high level of complexity is still a valid strategy. However, end users fall into poor security practices because complexity is often too difficult to follow and maintain.  

The reason end-users prefer length over complexity is because it is much simpler to follow. This does not make longer passwords better from an objective standpoint. Rather, relying on longer passwords is often more practical for the standard end user.  After all, when you boil right down to it, length is just another factor of complexity. It is easier to think of a long password – or pass phrase – than it is to come up with a new method of incorporating numbers and symbols. 

Policies that focus primarily on length often opt for the term ‘pass phrases’ because of the literal and representative meaning behind it.  If you ask an end-user to come up with a sentence or phrase as a password (grammar included) you are enforcing complexity without badgering the user. Phrases are easy to remember, and technically speaking, they are harder to crack. 

For example, the password: Brooklyncooks240pizzasaweek! is a good example that contains 28 characters that is easy to remember, but not easy to guess. 

Minimum Password Age Policy Best Practices 

Minimum password age is a confusing topic for some. Minimum password age means that users must use their new, set password for at least a certain amount of time (some organizations: 24 hours, others: 6 months) before they can reset their password. Again, users are predictable, and so in this case, users may have favorite passwords they like to use whether it was easy for them to remember, or they believe their password is secure, etc. However, after using ‘a favorite password’ and having to reset it, they cannot use the password again, so they are stuck with choosing a new password that they do not like. 

Therefore, many companies have a password reuse policy where users cannot reuse their last two passwords, but this means that users will be able to use their favorite password eventually. What users end up doing is resetting their password until they can use their favorite one again.  

Minimum password age solves this issue by requiring users to use their password for a certain amount of time before changing it.  

Why are password policies necessary? 

A quick Google search on password compliance will turn up any number of articles on specific regulatory requirements, best practices and industry standards. The National Institute of Standards and Technology (NIST) has a 40 page offering on Password Management and Recommendations (NIST 800-18 Draft), and there are numerous regulatory guidelines for SOX, PCI-DSS, HIPAA, GLBA, and CJIS with each one offering their own specific aspects of what is required for compliance.  

Regulations are great at setting the expectations and “rules-of-the-road” when it comes to writing, implementing and incorporating best practices into your policies and procedures, but they don’t often do a very good job at anticipating and reacting to human behavior when it comes to compliance and doing the right thing. 

As an organization, you can decide to set the bar very high with regards to your internal policies – including your password expiration policy and the like – to make sure that they easily exceed regulatory expectations. While there is merit in this approach in that you make every compliance auditor as happy as possible, you need to be keenly aware of some of the unintended consequences that a stringent password policy can engender. 

These password policies and best practices are a guideline, not a group of rules to implement, and knowing what your users want is going to help you finalize the password policy as needed. Finding the balance between security and convenience is not easy, but it does not have to be difficult either. 
If you keep the above guidelines when building your Password Policy, your users will be utilizing stronger passwords, but these days, passwords alone are not enough. Even with longer and more complex passwords, hackers find a way, especially as more hackers acquire more complex techniques that can break through the strongest of password security requirements and best practices. 
If you implement a strong password with a well-integrated and flexible Identity Access Management (IAM) solution, you will be proving ease of access to your users while enhancing your cybersecurity infrastructure. PortalGuard is the IAM solution that puts you back in control, providing flexible Single Sign-On and authentication options and password standards that meet your security goals and deliver an optimized user experience. 
Learn more about password security, best practices, and how to make your password stronger with other authentication methods here

Find out what PortalGuard® can do for your business.