MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Password Policy Best Practices 2021

Password Policy Best Practices 2021

A strong password policy is often the first line of defence against cyber attacks, yet many organisations continue to follow outdated guidelines that expose them to significant risk.

According to Verizon’s 2020 Data Breach Investigations Report, lost or stolen credentials remain the number one hacking tactic used by malicious actors to perpetrate data breaches, with compromised or weak passwords responsible for 35% of all breaches.

Password security has never been more important, especially with large numbers of the workforce continuing to work from home. The threat surface has expanded so it’s crucial that organisations update their password policy to educate staff on how to create strong passwords and provide a robust defence against cyber threats.

Previous guidance on password security tended to focus on uniqueness, complexity, and regular password changes; however, the latest advice has moved away from this as many of these password practices could in fact cause users to create weaker instead of stronger passwords.

The National Institute of Standards and Technology (NIST) has addressed the importance of password policies by issuing NIST Special Publication 800-63B (Digital Identity Guidelines – Authentication and Lifecycle Management). The publication provides up to date advice for organisations on how they can improve the authentication process and reduce the risk of a security breach.

Microsoft and the National Cyber Security Centre (NCSC) have all also updated their guidance on passwords to help organisations implement password policies that can defend against evolving threats and support the ways in which people naturally work.

To ensure your password policy is effective and meets the standards recommended by NIST, Microsoft, and the NCSC, we’ve compiled all the latest guidelines into actionable advice that your organisation can use to improve password security.

Password Policy Best Practices

Increase password length and reduce the focus on password complexity

Password Policy - length vs Complexity

In the past, advice on password security has focused heavily on the creation of complex passwords, but this often leads to the reuse of existing passwords with minor modifications. According to the National Cyber Security Council: “Complexity requirements place an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required ‘complexity’ criteria. Attackers are familiar with these strategies and use this knowledge to optimise their attacks.” Password length is often a much more important factor as a longer password is statistically more difficult to crack. NIST and Microsoft advise a minimum length of 8 characters for a user-generated password, and to bolster security for more sensitive accounts, NIST recommends organisations set the maximum password length at 64 characters. This allows for the use of passphrases. A passphrase is a password composed of a sentence or combination of words. It helps users memorise longer passwords and makes it more difficult for hackers to guess using brute force.

Screen passwords against blacklists

Password reuse is a common problem and according to a Google/Harris survey, 52% of people reuse the same password across multiple accounts. This risky behaviour has led to a huge surge in credential stuffing attacks as hackers attempt to cash-in on the billions of compromised credentials available to buy on the dark web. Using these stolen credentials, hackers can attempt to access additional user accounts using the same compromised password.

To combat this threat, NIST recommends that organisations utilise software that screens passwords against a blacklist that includes dictionary words, repetitive or sequential strings, passwords stolen in previous breaches, commonly used passphrases, or other words and patterns that hackers could guess. This screening process helps users avoid selecting passwords that pose a risk to security and will flag up if a previously safe password becomes exposed in the future.

Eliminate regular password resets

Password Policy - password resets

Many organisations require their employees to change their passwords at regular intervals, often every 30, 60 or 90 days. However, recent studies have shown that this approach to password security is often counter productive and can in fact make security worse. Typically, users will have multiple passwords that they need to remember, so when they are forced to do a periodic reset, they will resort to predictable behavioural patterns such as choosing a new password that is only a minor variation of the old one. They may update it by changing a single character or adding a symbol that looks like a letter (Such as ! instead of I). If an attacker already knows the user’s existing password, it won’t be too hard to crack the updated version. NIST recommends removing this requirement to make password security more user-friendly, and Microsoft advises: “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

Allow password copy and paste

NIST has revised its previous guidance and now recommends the use of ‘copy and paste’ when typing in a password. This helps promote the use of password managers which undoubtedly increases security by enabling users to generate longer passwords which are more difficult to crack.

Limit Password attempts

Using brute-force attack, hackers may attempt to breach an account by systematically logging in and trying every possible combination of letters, numbers, and symbols until they work out the right password combination. One of the best ways to defend against this type of attack is limiting the number of password attempts that any single IP address can make within a certain time frame.

Don’t use password hints

Password hints are frequently used by organisations to help their users remember complex passwords. It may be a simple prompt or the user is required to answer a personal question such as ‘what city were you born in?’ or ‘What is the name of your first school?’. The answers to many of these questions can easily be found on social media by a determined attacker. This undermines security which is why NIST has advised organisations to drop this practice as it could potentially increase the chance of a breach.

Use Multi-Factor Authentication

Password Policy - MFA

Multi-factor authentication (MFA) is one of the most effective ways to provide additional protection to a password-protected account. According to Microsoft, accounts are more than 99.9% less likely to be compromised if MFA is enabled. However, a recent GetApp survey found only 55% of respondents use two-factor authentication for their business and personal accounts when it is available.

There are three types of authentication that can be used:

  • Something you know: A password, PIN, postcode, or answer to a question (ex: mother’s maiden name).
  • Something you have: A token, phone, credit card, SIM, or physical security key.
  • Something you are: Biometric data such as a fingerprint, voice, or facial recognition.

Some of these verification methods are undoubtedly more secure than others but essentially it means that even if someone steals or guesses a password, they won’t be able to access the account without another authenticating factor.

Train staff on password best practice

There’s lots of conflicting advice on what constitutes a secure password so it’s crucial that your staff understand best practice and are fully versed on what your password policy requires of them. Security awareness training should educate staff on:

  • The risks of reusing the same passwords across home and work accounts
  • How to create strong and secure passwords
  • How to enable MFA
  • How to use a password manager
Cyber Security Awareness for Dummies

about the author

sharing is caring

Share on linkedin
Share on twitter
Share on facebook

you might enjoy reading these

Request Demo

The personal information that you provide to us in this form will only ever be used by MetaCompliance (as the Data Controller) for the following specifically defined purposes:

  • email you content that you have requested from us
  • with your consent, occasionally email you with targeted information regarding our service offerings
  • continually honour any opt-out request you submit in the future
  • comply with any of our legal and/or regulatory obligations
  • All fields are required. No free emails.

  • This field is for validation purposes and should be left unchanged.