CIS Benchmark Password Policy

With technology constantly evolving, cybersecurity organizations are helping people, businesses, and governments with best practices to protect themselves against emerging threats. The Center for Internet Security (CIS) is one of these advisement groups. The CIS Controls and CIS Benchmarks provide globally recognized best practices for security IT systems and data. Business can use the non-compulsory guidelines to establish a secure baseline configuration. The recommendations are designed to coexist with other mandated compliance requirements, mapping to those outlined by the NIST Cybersecurity Framework, NIST SP 800-53, ISO 27000 series standards, PCI DSS, and HIPAA. 

The CIS Benchmarks cover Operating Systems, Server Software, Cloud Providers, Mobile Devices, Network Devices, Desktop Software, and Multi-Function Print Devices. We’re most interested in how the CIS defines its password policies, a topic relevant for all IT admins and account owners. 

CIS Password Policy Guide 

The CIS Password Policy Guide 2020 contains nine key password recommendations for ensuring alignment with its best practices. There are also optional recommendations, which should be implemented after the core recommendations.  

Password length and passphrases 

Password length is the most important determinant of password strength. The password length requirement varies depending on the account in question: 

• An eight-character minimum is recommended for accounts with multi-factor authentication enabled. 
• A 14-character minimum is recommended for accounts that leverage passwords, without additional verification measures. 
• The maximum password length should be as long as possible, and determined by system limitations, as opposed to policy. Passwords exceeding the minimum requirements are encouraged, but not required. 

The recommendations assert that mandating extensive passwords (16+ characters) leads to poor user habits (repeating phrasing patterns, reused passwords, and writing them down). A user who creates a longer password of their own accord is more likely to tread carefully. Accordingly, the CIS recommends that users employ unique phrases as opposed to single words, as they are more memorable. 

Password composition and complexity 

Best practices argue that using lowercase letters, uppercase letters, special or numeric characters, cannot be a security crutch. While helpful in some cases, there are no common standards between systems. This can lead to confusion, password reuse, or predictable password composition.  

Password-only accounts should allow any character to be included (per the user’s preference) and include a number or special character. This character shouldn’t be in a predictable location along the password string. Accounts with multi-factor authentication should allow any character without unique complexity requirements.  

Password expiration 

Similar to the NIST Password Guidance, the CIS believes that periodic password changes are more harmful than beneficial. They offer no containment benefits and enforce bad habits—since they encourage users to choose variants of older passwords. In an effort to scale back, the CIS now recommends an annual password reset. Users inevitably share credentials between accounts, and this measure causes minimal burden. 

Admins should also enforce changes when a password compromised, the user role has changed, or if the user leaves the organization.  

Password banning and lists 

To prevent brute-force attacks, organizations should continuously check all passwords against a bad, banned, or breached password list. This list should be maintained and updated daily with new information, supplied either firsthand or through third-party tools. These lists might include breached passwords, dictionary words, repetitive sequences, company-specific terms, old passwords, and PII. 

Additionally, these checks should occur immediately during creation. The CIS points admins towards Azure Active Directory Password Protection and the NIST Bad Password Check API. 

The following measures should also be implemented: 

• Deny lists that account for the top 20+ used bad passwords 
• Disallow the usage of one’s previous five passwords 
• Prevent rapid password changes by enforcing a 24-hour delay, at minimum 

Session lock when idle 

The CIS strongly believes that no value exists in a session that is inactive for a prolonged period. Admins should set all user sessions to terminate (or log out) after 15 minutes of inactivity. Longer periods without input could allow bad actors to gain control of an account. 

Limiting failed login attempts (and enforcing lockouts) 

Hackers with stolen password hashes, or plain-text passwords obtained via other means, will try these passwords out on target systems. Failed lockout limitations and lockouts can prevent breakthrough. Attackers who fail after a certain number of attempts should be progressively forced to wait longer periods before trying again. Eventually, administrative intervention will be required to overturn a permanent lockout.  

Failed login attempt monitoring and alerting 

This is meant as both a continuous and retrospective measure. Admins should track user login activity, which will allow them to assess trends over a given period. Having data to comb through makes it easy to spot anomalies, thus encouraging targeted action and issue remediation with all accounts. 

The CIS suggests that all failed login attempts are recorded. Temporary and permanent lockouts alike should alert admins, so attempted attacks don’t fly under the radar. This allows for timely responses. Be sure to monitor logins at unexpected times or from unfamiliar locations where employees (or devices) don’t reside. Lastly, tracking activity associated with “honeypot accounts” can tell us when attackers are on the move. 

Aside from aforementioned password policies, this is hailed as the most successful provision in preventing unauthorized access. On the flip side, admins should suspend accounts after a 45-day period of non-use. This prevents employees who have moved on from accessing important resources, once their relationship with the company ends. It’s also useful during furlough periods. Note that these suspensions are reversible. Legitimate employees can contact IT and provide justification for such reversals. 

Password Hints 

Password hints aren’t recommended in any capacity by the CIS. There’s no way of knowing if users will use hints that reveal too much personal or obvious information. Instead, users (with the encouragement of IT) should opt for memorable passphrases. 

Optional password recommendations 

The CIS views these guidelines as supplementary. They are company or environment specific, and offer teams advice on implementing measures commonly seen throughout various login systems. 

Password strength indicators 

Password strength indicators can accomplish some key things. First, motivated users tend to create more secure passwords in accordance with meaningful feedback. The process becomes less frustrating. While not critical, this feature also pairs well with banned password list-governed systems. 

Password display 

This guideline is partly motivated by security and accessibility requirements. Users have an easier time with displayed characters (as they create a password, not after entry) than they do with blind confirmation fields. Fewer typing errors occur as a result. 

Additionally, password fields should temporarily reveal each character to the user as it’s typed. This allows for easier confirmation on devices with small screens. 

Handling password managers 

Approved password managers are powerful tools in account security. These facilitate the creation of lengthy, complex passwords that cannot be reused between different accounts. The manager remembers these passwords for the user. Additionally, a master password or some form of biometric security layer lets users log in. Passwords aren’t stored as plain text or written, a massive advantage. 

Accordingly, copying and pasting passwords from password managers within applications or websites is convenient. Password managers are user friendly and encourage better habits. 

Better password policies with Specops 

Admins thankfully have plenty of help from Specops when defining and enforcing new password policies. To begin, the free Specops Password Auditor tool streamlines reporting, auditing, and compliance across your entire environment. Expired, identical, blank, and even breached passwords will no longer go unnoticed.  

Additionally, Specops Password Policy builds upon this aforementioned functionality. Password dictionary integration and Breached Password Protection offer daily scans against newly discovered compromised passwords to prevent and block their usage. Specops Password Policy also prevents the use of common character placements, or patterns, which lead to successful attacks.