Password Policies: A How-To

24. Oct 2022

A strong password for user, administrative, and service accounts is the first line of defence securing these accounts against compromise. Making sure the organisational password policy is of an adequate nature is an essential step to help protect an organisation’s business critical data. Over the years however, with the advance in computational power, the recommendations for how a password should be secured has changed, with different governing bodies providing different recommendations.

One of the most common issues among passwords is their reuse across multiple services and platforms. The issue with this is that should one of these services become compromised, and user credentials leaked, then accounts on separate platforms using the same password are now trivial for an attacker to gain access to. Large collections of such leaks of usernames and passwords have been compiled over the years as new breaches occur, and are frequently used by attackers to gain an initial foothold into organisational environments.

Another commonly seen issue that often leads to the compromise of organisational data is the use of common passwords. Whilst easy to remember, passwords such as ‘Password1!’ or ‘Winter2022’ are frequently used, and often used in password spraying attacks in an attempt to gain access to user accounts that have a ‘lockout’ functionality should a number of wrong passwords be attempted. Forcing users to regularly rotate their passwords can lead to this type of password being used due to the frustration of having to remember a new, complex password every 3 months.

So, what is the recommended guidance for how password policies should be managed? One lead governing body providing such guidance is the National Cyber Security Centre (NCSC). NCSC recommend that the reliance on passwords to secure organisational data is minimised, through the use of systems such as multi-factor authentication (MFA) and single sign-on (SSO) systems. They also recommend the implementation of technical solutions, such as locking out accounts that have multiple failed authentication attempts and monitoring for suspicious account activity. Examples include login attempts that fail the MFA step, authentication attempts from unusual geographical locations, and reports from users of unusual account behaviour, such as unexpected account lockouts. Implementing a password deny list that compares user passwords against a list of commonly used passwords also helps to prevent trivially guessed passwords from being used.

Furthermore, they recommend that users should not be forced to regularly change their passwords as this will lead to ‘password overload’ and lead to users creating insecure passwords. The use of password managers or alternative secure storage solutions is also recommended as this allows users to create suitably secure passwords for a number of services without the need to remember them. Using these, users can create any number of extremely secure passwords for different services and platforms and only need to remember a single password for the password manager itself.

Users should also be trained in how to create and manage secure passwords that are easy for them to remember. One such popular method is ‘three random words’, whereby three words are chosen at random to create a password. This is an ideal method for securing standard user accounts as it creates ‘secure enough’ passwords, whilst also being simple for the user, preventing the common coping mechanisms associated with enforcing traditional style passwords.