Password policies are often based on a lot of outdated ideas that are insufficient for today's security environment. In this article, we’ll explore the results of our survey of consumer password practices and explain how to improve your organization’s password policy.
A password policy is a set of rules that govern the password parameters used to ensure the security of company data, systems, and devices. There are several elements required for an effective password policy and—in many cases—to maintain compliance with regulations such as PCI DSS (payment card industry data security standard).
However, it’s not enough to simply develop and deploy a password policy. Every company must also document its password policy, make it available to all employees, and incorporate it wherever applicable—such as your acceptable use policy or security awareness training.
As computers have grown more powerful and processing speeds have increased, brute-force attacks (in which a hacker tests endless character combinations until finding the correct password) have become more effective. To protect company data, your password policy needs to require long and complex passwords that are difficult to brute-force.
Random character combinations are far more secure than dictionary words or other meaningful sequences. However, long phrases using a strong mixture of elements can be an effective method of combining password complexity and length (e.g., We_lived0nthe1sland4sixye@rs).
Passwords must include no fewer than eight characters to achieve most minimum security standards, including the NIST password policy which serves as guidance for the U.S. government. However, to fortify your systems against rapidly increasing computing power, we recommend a minimum of 12 characters for general business applications and 16 characters for passwords that guard highly sensitive data.
Passwords must include a mixture of uppercase letters, lowercase letters, numbers, and special characters. For each different character type, you increase the number of possible password combinations. Consider 24356775, a passcode consisting only of numbers, meaning it pulls from a small pool of 10 characters (0-9).
If you swap out a number for a letter, a4356775, suddenly your pool increases to 36 possible characters (10 numbers + 26 letters). Now, add in a capital letter and a special character, and your pool jumps to around 92. Enabling additional character sets, such as Unicode, enlarges your pool even more.
However, password complexity and length does not account for easy-to-guess passwords. That’s why organizations must deploy password blacklists that restrict the selection of commonly used and factory default passwords, all of which are known by competent cybercriminals. It's also best practice to restrict your company’s name to avoid passwords such as Company1.
Pro tip: To remember complex passwords, try using an acronym. Wwa1ebb5tad? = Why would anyone eat banana bread five times a day?
To limit the period of time available to an attacker who has obtained stolen credentials, policies often require users to change their password every 90 days. This is unrealistic, and results in a poor user experience. Password aging can be extended to 180 days or longer without a significant security impact (although it is worth noting that some industry regulations may require a set password aging period).
To strengthen aging parameters, your business or organization can also set a password history restriction to prevent users from cycling through familiar passwords. A password history limitation of six previous iterations is usually sufficient.
Your password policy should include a threshold for failed logins—but not be so strict as to unnecessarily harm user experience. Many systems lock an account after only a few attempts, but this is unnecessarily conservative and tends to frustrate users.
At least 10 failed logins should be allowed before locking an account. Additionally, accounts should only be locked temporarily, allowing a user to try again after a set amount of time. This reduces the amount of manual password resets for your help desk while mitigating most of the security threats posed by multiple failed login attempts (such as brute-force and denial-of-service (DoS) attacks). If an account is locked repeatedly, an alert should be sent to IT security for investigation.
For merchant websites or those particularly prone to attack, other methods of throttling password login attempts include location limiting, IP blocking, and the use of CAPTCHAs.
For a password to have any value, it must be confidential. That means password sharing must be generally prohibited. Any exceptions to this rule must be explained clearly in your business' password policy. Exceptions to password sharing can leave employees vulnerable to social engineering attacks, such as an attacker posing as a help desk representative and asking to use an employee’s password to troubleshoot an application.
Similarly, passwords shouldn't be reused for multiple accounts. In our survey of U.S. consumers, 53% of respondents reported reusing the same password for multiple accounts. This is a fundamentally insecure practice that multiplies the odds of falling victim to a data breach.
One solution to password reuse is password management software. These tools can identify and discourage password reuse while combating employee propensity to write down complex passwords—a move that can open them up to insider attacks. Remarkably, a full third of our survey respondents (34%) admit to writing passwords down on paper.
Password managers allow users to securely store intricate passwords in the cloud without needing to remember—or write down—a thing.
Even the most sophisticated passwords are vulnerable to theft, keyloggers, and numerous other threats. That’s why you should bolster online security by enabling two-factor authentication (2FA) whenever it's offered.
This added layer of security is recommended for all systems that house sensitive data—which is most of them. The most common version of 2FA is a verification code sent to your email. Another popular option is mobile authentication software, which uses personal devices to confirm identities using push notifications, phone callback, and other methods.
Our survey found that 19% of respondents never use two-factor authentication for business applications. That means nearly one out of five people are taking unnecessary risks with company data, which can lead to data breaches, reputation damage, and regulatory fines.
Most common cyber attacks are successful regardless of how well your password policy is crafted. Social engineering and phishing attacks result in passwords walking right out the door. Data breaches leave even the most complex passwords exposed. Keyloggers simply monitor passwords as they’re typed.
Ultimately, passwords alone are no longer capable of properly protecting your company’s interests. In the long term, transitioning away from passwords will be the best security option. Passwordless technologies that combine adaptive risk modeling, hardware keys, and biometric authentication are being developed by numerous vendors.
At this early stage, moving toward passwordless authentication will take significant time and investment, especially for small and midsize businesses. For now, fortify your existing password policy, ensure that 2FA is enabled whenever possible, and keep an eye on emerging passwordless solutions so you’ll know when to make the switch away from passwords altogether.
GetApp Password Survey, January 2020
GetApp conducted this survey in January 2020 among 487 respondents to learn more about consumer password behaviors.
Note: This document, while intended to explain password policy best practices, is in no way intended to provide legal advice or endorse a specific course of action.
Any applications selected in this article are examples to show a feature in context, and are not intended as endorsements or recommendations.