The do’s and don’ts of passwords
(Last updated on February 5, 2020)
And the saga continues. Every month it seems, there is a new hacking scandal being publicized. Whether it’s a massive password leak or an email server being hacked, this type of news coverage almost seems to be on a continuous loop.
With the root of many of these attacks resulting from an exploited password vulnerability, it makes sense that organizations like Microsoft and some standard bodies such as the National Institute of Standards and Technology (NIST) in the U.S. and the National Cyber Security Center (NCSC) formerly known as the CESG in the UK, have put out new password recommendations and requirements.
The underlying theme shared across all being that systems should bear the security burden and not users. As such they focus on simplifying things for end-users, yet due to this, some of the recommendations can actually lead to vulnerabilities.
Remove length and complexity
Both Microsoft and the NCSC believe that longer and more complex passwords are not necessarily stronger. Microsoft reasons that those passwords do NOT defend against common attacks like phishing or key logging and create an unnecessary burden for end-users which can lead to bad password behavior. NCSC agrees and recommends using system controls like lock out and throttling over enforcing password length.
Less complex passwords are easier to crack and more susceptible to brute force attacks. NIST actually promotes the use of longer passwords and the Payment Card Industry Data Security Standard (PCI DSS) requires password complexity and length. As such applying these recommendations can leave an organization non-compliant.
Organizations have different users constituencies within their organizations and varying users and groups should be treated with a different security approach. For example privileged accounts should have as many safety nets as possible.
Microsoft recommends getting rid of forced password changes. NIST and NCSC also recommend eliminating and only requiring a password change when a compromise is suspected.
IT departments do not know when breaches occur – often they find out by accident or when a list is actually made public. Having password expiry in place limits the exposure. So rather than eliminating it, IT departments should take a practical approach that takes into account the password policy.
If complex passwords are in place they should force expiry less frequently and for privileged accounts force changes more frequently. For organizations that are regulated by PCI there isn’t any wiggle room, they are required to force expiry every 90 days.
Segmentation is king
With so many players questioning traditional best practices it makes sense that IT departments see some of this simplification type of recommendations as appealing. However, password security should never be generalized.