Published - Sat, 05 Nov 2022

Password policy recommendations: Here's what you need to know.

Password policy recommendations: Here's what you need to know.

Complexity, uniqueness, and periodic change have long been the top best practices for passwords, but new recommendations have led to changes around password policies.

Passwords were supposed to fix authentication. Instead, they have become a source of significant problems. Users continue to choose weak or simple-to-guess  passwords and reuse the same passwords on multiple services. They also tend to question restrictions: "Which of these rules are reasonable? Which are most effective? Why do we have all these requirements?" 

Password policies continue to evolve even if user attitudes have not. Experts suggest placing more emphasis on checking passwords against known weak password lists and focusing less on password expiration policies. Here are the current best practices in use:

  • Set complexity requirements, such as meeting a character minimum, and use certain character types (mixed case, numerals, and special characters).
  • Prevent users from choosing previously used passwords.
  • Require passwords to be changed periodically and perhaps frequently.
  • Check passwords against lists of most-common or especially weak passwords.

Password standards

The National Institute of Standards and Technology (NIST) addressed the question of password policies by issuing NIST Special Publication 800-63B (Digital Identity Guidelines – Authentication and Lifecycle Management). Section 5.1.1 “Memorized Secrets” has much to say about passwords and how they should be managed and stored. The requirements are actually pretty lenient: User-supplied passwords must be at least eight alphanumeric characters; passwords randomly generated by systems must be at least six characters and may be entirely numeric.

NIST has been updating its standards and the most significant new requirement: The system must check prospective passwords against “a list that contains values known to be commonly used, expected, or compromised.” Types of passwords that might be disallowed based on such checks include:

  • Passwords obtained from previous breaches
  • Dictionary words
  • Repetitive or sequential characters (e.g., aaaaaa or 1234abcd)
  • Context-specific words, such as the name of the service, the username, and derivatives thereof

To confuse the issue, NIST's recommendations are not specifically required; there is no organization whose role is to enforce these policies, and NIST's guidelines explicitly recommend against complexity requirements.

The rest of the NIST recommendations are smart measures based on common sense and real-world experience. For example:

  • The system should allow paste functionality on password entry, to facilitate the use of password managers.
  • Passwords should not be stored; the system should store a salted hash—the addition of random data in a one-way password hash—of the password.
  • The key derivation function to generate the salted hash should include a “cost factor”—something that takes time to attack, reducing the chances of a successful brute force attack.
  • Finally, as I’ve long argued for, the system should permit the user to display the password as it is being entered, rather than just asterisks or dots. Usually this option is invoked by clicking an eyeball icon.
  • Windows password policies

    Because the Windows domain password is the main password for users in so many enterprises, the default Windows policies are, at least, the starting point for most organizations. For many, there is no obvious reason to go any further than the defaults.

    The Windows default settings are not necessarily the same as those in the Windows Security Baselines, which are groups of policy settings “based on feedback from Microsoft security engineering teams, product groups, partners, and customers.” The baselines are included in the Microsoft Security Compliance Toolkit, which also includes policy-related tools for administrators. The Security Baselines serve as another very common setting, by virtue of being a Microsoft-endorsed configuration.

    The most interesting settings, at least recently, are the minimum and maximum password age. The minimum age is the number of days before users are allowed to change a password. The maximum is the number of days after which users must change their password. The default minimum is one day, both for Windows and the security baselines; the maximum defaults to 42 days for Windows and, until recently, 60 days in the security baselines. These settings are enabled in almost all default configurations.

Created by

Cignes Myjamia

Hi, I'm Aslam ! I have been identified as one...

Aslam has a BSC and MSC in Computer Engineering from Santa Clara University and years of exper...

View Profile

Comments (0)

Search
Popular Categories
Latest Blogs
Accelerating the future
Accelerating the future
The race to stay ahead in an increasingly digital worldWe explore all that's needed to make your digital transformation successful—from strategies for your workforce to how to ensure your tech is secure.One undeniable effect of the pandemic is the sudden embrace of digital transformation. Enterprises of all types and sizes have sped up their digital plans to meet with the new reality: remote workforces, remote customers and partners, and just about everything needing to run digitally. Leadership teams everywhere have pulled projects off the planning schedule and put them into high gear.This issue of The Doppler is designed to help you navigate all that involves, from how to establish and achieve your main goals to ensuring that your systems are set up in the most secure way possible. We also reconsider the principles and guideposts of digital transformation itself, a worthwhile topic considering the various ways that people use the term digital transformation.

Sat, 05 Nov 2022

Password policy recommendations: Here's what you need to know.
Password policy recommendations: Here's what you need to know.
Complexity, uniqueness, and periodic change have long been the top best practices for passwords, but new recommendations have led to changes around password policies.Passwords were supposed to fix authentication. Instead, they have become a source of significant problems. Users continue to choose weak or simple-to-guess  passwords and reuse the same passwords on multiple services. They also tend to question restrictions: "Which of these rules are reasonable? Which are most effective? Why do we have all these requirements?" Password policies continue to evolve even if user attitudes have not. Experts suggest placing more emphasis on checking passwords against known weak password lists and focusing less on password expiration policies. Here are the current best practices in use:Set complexity requirements, such as meeting a character minimum, and use certain character types (mixed case, numerals, and special characters).Prevent users from choosing previously used passwords.Require passwords to be changed periodically and perhaps frequently.Check passwords against lists of most-common or especially weak passwords.Password standardsThe National Institute of Standards and Technology (NIST) addressed the question of password policies by issuing NIST Special Publication 800-63B (Digital Identity Guidelines – Authentication and Lifecycle Management). Section 5.1.1 “Memorized Secrets” has much to say about passwords and how they should be managed and stored. The requirements are actually pretty lenient: User-supplied passwords must be at least eight alphanumeric characters; passwords randomly generated by systems must be at least six characters and may be entirely numeric.NIST has been updating its standards and the most significant new requirement: The system must check prospective passwords against “a list that contains values known to be commonly used, expected, or compromised.” Types of passwords that might be disallowed based on such checks include:Passwords obtained from previous breachesDictionary wordsRepetitive or sequential characters (e.g., aaaaaa or 1234abcd)Context-specific words, such as the name of the service, the username, and derivatives thereofTo confuse the issue, NIST's recommendations are not specifically required; there is no organization whose role is to enforce these policies, and NIST's guidelines explicitly recommend against complexity requirements.The rest of the NIST recommendations are smart measures based on common sense and real-world experience. For example:The system should allow paste functionality on password entry, to facilitate the use of password managers.Passwords should not be stored; the system should store a salted hash—the addition of random data in a one-way password hash—of the password.The key derivation function to generate the salted hash should include a “cost factor”—something that takes time to attack, reducing the chances of a successful brute force attack.Finally, as I’ve long argued for, the system should permit the user to display the password as it is being entered, rather than just asterisks or dots. Usually this option is invoked by clicking an eyeball icon.Windows password policiesBecause the Windows domain password is the main password for users in so many enterprises, the default Windows policies are, at least, the starting point for most organizations. For many, there is no obvious reason to go any further than the defaults.The Windows default settings are not necessarily the same as those in the Windows Security Baselines, which are groups of policy settings “based on feedback from Microsoft security engineering teams, product groups, partners, and customers.” The baselines are included in the Microsoft Security Compliance Toolkit, which also includes policy-related tools for administrators. The Security Baselines serve as another very common setting, by virtue of being a Microsoft-endorsed configuration.The most interesting settings, at least recently, are the minimum and maximum password age. The minimum age is the number of days before users are allowed to change a password. The maximum is the number of days after which users must change their password. The default minimum is one day, both for Windows and the security baselines; the maximum defaults to 42 days for Windows and, until recently, 60 days in the security baselines. These settings are enabled in almost all default configurations.

Sat, 05 Nov 2022

IT security at home: Hard but not impossible
IT security at home: Hard but not impossible
You probably can't provide security for workers at home that matches that of your office, but you can come close. Here are some ideas.When the COVID-19 quarantine hit in mid-March, it created an unprecedented situation in which the number of remote workers skyrocketed beyond anything anticipated."The only analogue of this scale I would say is 9/11, and that was fairly regional," says Sean Gallagher, a threat researcher at Sophos. "It wasn't a national thing like this is, and it wasn't nearly for this period of time."Gallagher was working remotely from Baltimore for a New York company. All his fellow employees in New York were displaced for several weeks."We had to figure out how to operate without the office for nearly a month," he says. "But that was very regionally specific. This is a much broader problem."Regional vs. globalThe nearest thing most companies may have experienced to COVID-19 is something like a hurricane or other natural disaster, all of which are regional. This crisis has scaled beyond any plans companies had in place to deal with remote workers—and with that has come a level of insecurity that has also been unimaginable."It's not something that might've been in most companies' disaster recovery continuity business plan," says Gallagher. "But it is certainly not unprecedented in terms of the need to be able to flexibly handle ongoing operations with employees not in the office."Moreover, the vast move to remote work is an exacerbation of the human element that "is often—frankly always—the most uncontrollable component of cybersecurity risk," says Bob Moore, director of server software and product security at Hewlett Packard Enterprise.All large organizations can arrange for some users to work from home, but until recently, few ever tried to have nearly everyone work from home. If existing security tools and procedures are inadequate, what do you really need to do to make the situation acceptable?

Sat, 05 Nov 2022

All Blogs