The Complete Network Guide to Password Best Practices and Policies

Choosing the right passwords is the first line of defense in your organization.

Are your employees doing a good job choosing and protecting their passwords?

Password strength is very important. According to Verizon’s 2020 Data Breach Investigation Report, 81% of hacking-related data breaches involved either a stolen or a weak password. According to a separate analysis of 10 million stolen password by WordPress, the crack time for the average password – including professionals at Google, DropBox, and other tech companies – was just 22 seconds.

If so many people are getting it wrong, what makes a good password? For many years we’ve been told that it’s a password that contains a mix of upper- and lower-case letters, along with special characters or numbers sprinkled in. This idea originates from a paper written by Bill Burr who, in the early part of the 2000s, was a researcher at the National Institute for Standards and Technology (NIST).

The problem with this method? People tend to choose predictable patterns for adding those elements to a password, so often in fact that they have a negligible benefit to real-world password security. Among the 10 million leaked passwords we just mentioned, 8.4% of them added a “1” to the end of the password to satisfy the numerical character requirement. In a story published in the Wall St. Journal last year, Mr. Burr expressed his regret at writing the paper.

Since then, the NIST has released new recommendations for password strength, which you can read here in Special Publication 800-63B on Digital Identity Guidelines. Many of the suggestions contradict the earlier guidelines and the orthodoxy that took hold around them. Here’s what the NIST is recommending now:

Don’t Change Your Password Every 6 Months

This convention, which created trouble for employees and the IT staff, turns out to be false. A study originating right here in North Carolina shows that when forced to change passwords, people tend to just go from “tarHEEL1” to “tarHEEL2” or other minor variations. Those do nothing to increase security and, in fact, can harm it. Hackers have programs that exploit this predictability and can swiftly gain entry into those poorly protected systems. Similar research, conducted at Carleton University in Canada, yielded the same conclusion.

Don’t Focus on Upper Cases and Numbers

The second major takeaway from Special Publication 800-63B is to stop relying on upper case letters and numbers. While there’s still value to using special characters in passwords (like “#” or “%” symbols), this study by Matt Dell’Amico at Symantec Research found that because people tend to use uppercase letters at the beginning of their passwords and numbers at the end, their effectiveness in making your password uncrackable is severely diminished.

Are there any other conventions that are worth keeping in mind as to password security? Yes, there are.

The Longer the Better

There is ample evidence to show that the longer a password is, not just the more complex it is, the lesser the chance that a hacker will be able to crack it. The UK government released this article in 2015 advocating for 3 random English words as the basis for a strong password, a number which several sources – including this viral cartoon — have since revised upward to four random English words. Some sources even advocate six random words. The major takeaway is to make the password as long as you can feasibly remember.

But the random words are just the beginning, or they should be. While random words are an excellent foundation for a strong password, as this blog article from security consultant Paul Moore points out, they still need to be combined with strategically used special characters and numbers in order to maximize security.

Conclusion

Now that we know what a solid password consists of, it’s time to go build one. Get creative, and think about random words, with no apparent connection to each other, and then apply numbers or special characters in the middle of the password, avoiding all well-known conventions like replacing an “A” with a “4” or an “E” with a “3.” Password cracking software is trained to go straight for such weaknesses.

To discern whether your password ideas are strong enough, it may help you to use some of the available tools to do so, as they can give us a glimpse into how computers “think,” and help you design the most effective password possible. Try password strength checkers, like HowSecureIsMyPassword, to test your password ideas. Here’s an interesting “password meter,” developed by a joint collaboration between Carnegie Mellon and the University of Chicago that will score the strength of your password and give you a critique to help you improve its resiliency.

Are you responsible for managing passwords throughout your organization? Here are some final password tips for both users and system administrators that can help make sure bad passwords don’t cause your business trouble:

• Remember to change default or shared passwords – These take computers literally just a fraction of a second to discover and unlock.
• Have a lock-out mechanism – Your company should have a lock-out mechanism (3 – 4 login attempt maximum) to help prevent hackers from using a “brute force” approach to infiltration.
• Remind employees not to write passwords down – With insider attacks now presenting one of the most serious threats to enterprises, a password written on a scrap of paper can easily fall into the wrong hands.

Solving Cybersecurity Problems is Our Business

Do you need help implementing strong identity and access management controls, or securing other aspects of your company’s network or technology? The Complete Network team has a history of providing comprehensive, proactive cybersecurity services to help SMEs in a variety of industries defend against the latest cyberthreats. Get in touch, we’d love to answer any questions you might have and help you better secure your business.