Security pundits have long called for the banishment of passwords, but the fact is they aren’t going anywhere, anytime soon. In fact, 88% of organizations still use passwords as their main form of authentication. In this article, you'll learn about the key components for a secure password policy and find out why complexity isn't one of them.
Complexity is the Enemy of Security
Noted security expert and cryptography Bruce Schneier once famously called complexity “the enemy of security.” This mantra refers to both the difficulty in safeguarding complicated systems from cyber threats as well as complex passwords. Special characters, numbers, and mixed case letters in passwords may provide a certain degree of protection but are no longer sufficient for protecting against today’s highly automated, brute force password cracking tools.
The Human Factor
People are creatures of both habit and convenience, and complex passwords bring out the worst of both these tendencies. Frustrated with creating and remembering complex passwords, users will inevitably reuse old passwords or previously used word and letter/character combinations and write down reminders on paper. No amount of password complexity can mitigate this type of cyber risk exposure.
NIST’s Latest Password Guidelines
NIST now recommends password length as a better method for bolstering account security. Its most recent password guidelines calls for longer passwords over complex ones, and advises a minimum length of 8 characters, with a strong recommendation of passwords up to 64 characters. By allowing for longer, more memorable passphrases, organizations can effectively minimize the bad cyber hygiene habits that arise from the inability to recall complex passwords.
Length Over Complexity
Longer and easy-to-remember passphrases allow users to avoid predictable patterns and bad habits that could lead to account compromises. You can create long passphrases easily with randomness built in, without compromising memorability. And because they are easy to recall, long memorable passphrases help users avoid writing down password reminders that are susceptible to prying eyes and theft.
The Role of Multi-Factor Authentication (MFA)
MFA adds an extra authentication layer to make personal security measures virtually impenetrable. A recent Microsoft study revealed that using MFA can help block over 99.9 percent of account hijacking attempts. When MFA is enabled, users must provide one of the following MFA types, along with their password, in order to gain access to privileged systems or resources:
- Knowledge (something you know): information only known by users, like answers to specific security questions
- Possession (something you have): user-possessed physical objects like USB tokens or security key cards
- Inherence: (something you are): biometric user attribute like fingerprints, retina scans, or facial recognition features
- Location: (somewhere you are): a signal used as geolocation-based forms of identity verification like IP addresses or GPS coordinates
- Behaviour: (something you do): Do you always login at this time of day/night?
Password History and Reuse Prevention
Password reuse still remains a problem amongst end-users. If they are sharing them across accounts and services (e.g., using the same password for their corporate Active Directory as their personal Amazon account). Tools for preventing password reuse can be used between heterogeneous systems, but not across different environments. There are many dangers of password reuse and you can mitigate that risk by regularly scanning for breached passwords.
User Education and Awareness
Strong passphrase creation and management go hand-in-hand with continuous education and awareness. End users may not be aware of the latest security developments and require regular training on updated cyber hygiene best practices, passphrase management tactics, and phishing awareness programs, to name a few. Look for solutions that provide users with dynamic feedback when they create, change or reset their passwords to help them understand what they are doing right and more importantly what they are doing wrong
The Role of Password Managers
Password managers minimize user friction by allowing you to use a single master password to access all your account passwords. By streamlining access to all your online services, password managers dramatically reduce the attack surface. You can also pair your password manager with MFA for additional security. But also remember that master password needs to be a good (uncompromised) password.
Strong Password Policy Best Practices
You can reduce the overhead of password security management across a large user base by implementing strong password policies. The following best practices are crucial for enforcing strong password management practices across the organization:
Enact Policy Enforcement Procedures
Tools like Specops Password Policy can help automatically enforce password and passphrase policies, verify password strength, and check for the presence of compromised passwords against databases of known breached accounts. When blocking previously compromised passwords, a tool that both scans regularly and not just at password update time is optimal.
Perform Regular Audits and Reviews
Regular password audits and reviews ensure that your organization’s password policies are continuously updated to protect against evolving cyber threats. Regulatory compliance measures and data security legal requirements are also constantly evolving, so be sure to conduct regular audits to ensure continuous compliance.
Create Comprehensive Incident Response Plans
By taking a proactive approach for inevitable security compromises, your organization can better respond at a moment’s notice when password breaches occur. A comprehensive incident response plan allows your security team to reduce the time to mitigate (TTM), isolate and reduce the impact radius of breaches, and prevent future incidents from occurring.
In short, passwords are still the first line of defense for protecting privileged resources, but the methods for creating strong ones are continuously evolving. You should use longer passphrases versus complex passwords, continuously check them against breached account databases for compromises, and enforce strong password policies and guidelines. End users should undergo continuous training and education to learn the latest password management and cyber hygiene practices. The solutions with built in end-user feedback not only alleviates frustration but also teaches them in real-time.
Evaluate your current password policies and see how with Specops Software you can automatically check for compromised passwords in your environment... and not just at password change.