Don’t torture people with overly complicated password composition rules but do blacklist commonly used passwords, plus other ways to help people help themselves – and your entire organization
As engineer Bill Burr of the US National Institute of Standards and Technology (NIST) wrote in 2003 what would soon become the world gold standard for password securityhe advises people and organizations to protect their accounts by creating long, ‘chaotic’ lines of characters, numbers, and signs – and changing them regularly.
Fourteen years later, Burr admits to regretting his past advice. “It just confuses people and they don’t pick a good password no matter what you do,” he said to the Wall Street Journal.
Or, as it is famously known xkcd comics have included it: “Through 20 years of effort, we have successfully trained everyone to use passwords that are difficult for humans to remember, but easy for computers to guess.”
These days, common people have up to 100 passwords to rememberwith numbers growing rapidly in recent years (although in fact, some people using about 50 passwordsincluding some offline code, even years ago and some security experts have pointed out that such password customs and policies are untenable.)
Indeed, research has found that people usually remember only up to five passwords and take shortcuts by creating easy-to-guess passwords and recycling them across multiple online accounts. Some may actually replace numbers and special characters for letters (for example, “password” changes to “P4?? Word”), but this still makes passwords easy to crack.
In recent years, leading organizations such as the Open Web Application Security Project (OWASP) and, of course, NIST itself have change their policies and advice towards a more user-friendly approach – while increasing password security.
At the same time, tech giants like Microsoft And Google encourage everyone to ditch passwords altogether and go passwordless. However, if your small or medium business isn’t ready to part with passwords, here are some guidelines that will help you and your employees in 2023.
Stop imposing unnecessarily complex password composition rules
Any very complicated composition rules (such as requiring the user to include upper and lower case characters, at least one number and a special character) are no longer mandatory. This is because such rules rarely encourage users to set stronger passwords, instead encouraging them to act predictably and create passwords that are “double deceptive” – both weak and hard to remember.
Switch to passphrase
Instead of a shorter but difficult password, use a passphrase. They are longer and more complex but still easy to remember. For example, it might be an entire sentence that’s inexplicably stuck in your head, sprinkled with capital letters, special characters, and emojis. While not super complicated, automated tools still take a long time to crack.
Several years ago, the minimum length for a good password was eight characters, consisting of lowercase and uppercase letters, signs, and numbers. Today, automated password cracking tools can guess these passwords in minutes, especially if they are secured with an MD5 hashing function.
This according tests run by Hive Systems and published in April 2023. In contrast, a simple password containing only lowercase and uppercase characters but 18 characters long would take much, much longer to crack.
Aim for a minimum length of 12 characters – the more the better!
The NIST guidelines recognize length as a key factor in password strength and introduce a required minimum length of 12 characters to a maximum of 64 characters after concatenating multiple spaces. All things being equal, the merrier.
Unlock various characters
When they set their password, users should be free to choose from all printable ASCII and UNICODE characters, including emoji. They should also have the option of using spaces, which are a natural part of the passphrase – an oft-recommended alternative to traditional passwords.
Limit password reuse
It’s conventional wisdom now people should not reuse their passwords on different online accounts, because one account breach can easily lead to another account compromise.
However, many habits are difficult, and about half of the respondents in the 2019 Ponemon Institute study admit to reusing an average of five passwords in their business and/or personal accounts.
Don’t set a “use by” date for passwords
NIST also recommends against requesting a casual password change unless requested by the user or unless there is evidence of a compromise. The reason is that users only have so much patience having to constantly think up new passwords that are strong enough. As a result, getting them to do it periodically can do more harm than good.
When Microsoft announced the abolition of its password expiration policy three years ago, it called into question the whole idea of password expiration.
“Given that the password is likely to be stolen, what is an acceptable timeframe for continuing to allow thieves to use the stolen password? Windows default is 42 days. Doesn’t that seem like a very long time ago? Yes, it is, but our current baseline says 60 days – and usually says 90 days – forcing expirations that often creates its own set of problems,” read the Microsoft blog.
Keep in mind that this is just general advice. If you secure applications that are critical to your business and attractive to attackers, you can still force your employees to change passwords periodically.
Ditch pointers and knowledge-based authentication
Password hints and knowledge-based verification questions are also out of date. While these can actually assist users in finding forgotten passwords, they can also be of great use to attackers. Our colleague Jake Moore has demonstrated several times how hackers can abuse “forgot password” pages to break into other people’s accounts, for example on PayPal and Instagram.
For example, a question like “name of your first pet” could easily be guessed at with a little research or social engineering and there really aren’t that many possibilities for an automated tool to go through.
Blacklist of common passwords
Rather than relying on previously used composition rules, check the new password against a “blacklist” of previously most used and/or compromised passwords and evaluate the match attempt as unacceptable.
In 2019, Microsoft scan its user accounts compare usernames and passwords against a database of over three billion sets of leaked credentials. It found 44 million users with compromised passwords and forced a password reset.
Provide support for password managers and tools
Ensure that “copy and paste” functions, browser password tools, and external password managers are allowed to handle the complexities of creating and storing user passwords.
The user must also choose to temporarily view all incognito passwords or the last typed password characters. According to OWASP guidelinesthe idea is to improve the usability of credential entry, particularly around using longer passwords, passphrases, and password managers.
Set a short shelf life for the initial password
When your new employee creates an account, the initial password or system-generated activation code must be securely randomly generated, at least six characters long, and can contain letters and numbers.
Make sure it expires after a while and can’t be a long-term, correct password.
Notify users of password changes
When users change their password, they should first be prompted to enter the old password and, ideally, enable two-factor authentication (2FA). When finished, they will receive a notification.
Be careful with your password recovery process
The recovery process not only does not reveal the current password but the same goes for information on whether the account actually exists or not. In other words, don’t provide any (unnecessary) information to attackers!
Use CAPTCHA and other anti-automation controls
Use anti-automation controls to reduce breached credentials testing, brute force, and account lockout attacks. These controls include blocking the most commonly breached passwords, soft locks, speed throttling, CAPTCHAs, ever-increasing delays between attempts, IP address throttling, or risk-based restrictions like location, first login on the device, recent attempt to unlock. account , or similar.
By current OWASP standards, there should be at most 100 failed attempts per hour on a single account.
Do not rely only on password
Regardless of how strong and unique a password is, it remains the single barrier separating attackers and your valuable data. When aiming for a secure account, an additional layer of authentication should be considered an absolute must.
That’s why you should use two-factor (2FA) or multi-factor (MFA) authentication whenever possible.
However, not all 2FA options are born equal. SMS messages, while much better than no 2FA at all, are vulnerable to many threats. A more secure alternative involves using dedicated hardware and a software-based one-time password (OTP) generator, such as a secure app installed on a mobile device.
Note: This article is the latest and extended version of the article we published in 2017: No more useless password requirements
Maybe check ESET password generator?