To celebrate World Password Day we’re sharing a post by our very own, Todd Skaggs, on the evolving industry best password practices!
Industry Best Practices
Todd Skaggs
BlueOrange Security Analyst
You have heard it often. From your IT team. From your Security Analyst. From the security email that you glance over during the morning scrum. “Passwords should conform to security industry best practices.”
You may be asking yourself, “What does that actually mean?”
Great question.
If you have the understanding that the industry best practice consists of a password that is at least 8 characters long with a combination of upper- and lower-case letters, maybe a number, and possibly a symbol that your software reminds you to change at least every 90 days, you’re not alone.
For decades (yes, decades), those particular parameters for a password were considered the minimum you would need to do in order to keep your credentials safe from nefarious sorts looking to steal your data. The original formula for how long a password of any given length and complexity could remain secure was documented in a Department of Defense publication1 for Password Management guidelines in 1985.
The formula took into account the size of the alphabet used, the characters in the password, and period of time before the password would be changed. All of these factors were then weighted against the length of time it would take a threat actor to guess the password if they were connected to the system via a 1200-baud modem.
If some of those words look foreign to you, that’s fine. The important thing to note is that the basics of how to create a strong password haven’t changed in nearly 40 years.
It is also worth noting that in this same DOD publication from 1985, the use of passphrases was recommended over the use of a single password. Many security experts will still advocate using this format for any credentials. A passphrase is a series of unrelated words. It is recommended to use at least three non-related words of 5 characters or more.
There have been some recent changes to what are considered best practices. If you are still wondering where Information Security professionals find these guidelines, look no further than Special Publication 800-632, Digital Identity Guidelines, published by the National Institute of Standards and Technology (NIST).
The current revision highlights what the Information Security community has long known. There is a fine line when reaching for the goal of keeping your systems secure and what the users will be willing to do to help with that goal. If something is too complicated or introduced without the support of the users, many times they will be the ones who will find any shortcuts possible to make their lives easier (and yours more difficult).
The NIST article is linked below, but some industry professionals agree on the following key best practices:
Use Passphrases
A passphrase of “purple Lemon coffee pickle” (including the spaces) is more secure than a password of “Puplep1ckl3s2021“.
If you are determined to use a password, NIST guidelines suggest that a longer password is more secure than a shorter password with complexity. For keeping Windows (Active Directory) accounts secure, your password should be at least 16 characters to avoid some commonly used account exploits.
Use Multifactor Authentication
Multifactor authentication notifies a device you own, separately from the site or application you are logging into. It provides an added layer of security by requiring proof that you are trying to access the site or application.
Use a Password Database
If users are required to have longer or more complex passwords, the tendency will be to reuse passwords across multiple sites or applications. If the credentials are discovered for one site, threat actors will try to use the same credentials for multiple sites in hopes that a user will have re-used the same credentials elsewhere.
By using a password database (LastPass; KeePass/Keeper; 1Password), users need only remember the password for the database and can store longer and more complex passwords in the password management tool.
Eliminate Frequent Forced Password Expiration Periods
Forcing a user to change a complex password on a frequent basis may introduce bad habits, such as just adding a “1” or a month or year at the end of an existing password. Threat actors and tools used to compromise security settings often take these habits into account when attempting to discover a user’s credentials.
It is better to have a longer password (or passphrase) that is changed less frequently, allowing the user to maintain stronger credentials and avoid poor password hygiene.
Equally important is to prevent passwords or passphrases from being reused.
Monitor Accounts for Compromised Credentials
IT should take an active role in monitoring accounts to ensure they have not been compromised. Proactive review of audit logs, behavior analytics (“Why is Jenna logging in at 2AM when she’s is on vacation until next Tuesday?”), and additional tools can be employed to ensure that accounts and credentials remain secure and are being used in an authorized manner.
To sum up, the strongest defense against those seeking to compromise your security is education. Educate yourself and educate users on the importance of keeping their accounts secure. Help them understand the tools available to them and the need to be more diligent about security both at work and at home. By doing this, you can ensure that you and your users are in line with industry best practices!
Resources:
How strong is your password? Check it here:
https://howsecureismypassword.net/
Has your email been discovered in a breach?
NIST Digital Identity Guidelines:
https://pages.nist.gov/800-63-3/sp800-63-3.html
References:
1 – “Department of Defense Password Management Guideline” (CSC-STD-002-85 | Library No. S-226,994)
2 – NIST Special Publication 800-63B Revision 3, “Digital Identity Guidelines” – https://pages.nist.gov/800-63-3/sp800-63-3.html
