Strong Password Policy Requirements Protect Data, Systems
It remains a critical and ever-evolving challenge to protect your organization’s data and operations from destructive forces such as unauthorized users, cyberattacks, and data breaches. The first level of security from such attacks is the implementation of strong password policies as a line of defense for an organization’s data security.
Balancing risk and user-friendliness is challenging. “When an employee has so many complex passwords to remember that they keep them on a sticky note attached to their computer screen, that could be a sign that your organization needs a wiser policy for passwords,” per NIST.gov.
- “55% of people rely on their memory to manage passwords,” reported helpnetsecurity.com. Memory is a fickle tool. Recognizing this, many people keep hard-copy lists of their passwords, usually on their desks.
- Composition rules are commonly used in an attempt to increase the difficulty of guessing user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.
- Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.
Tips for Strong Password Management
Effective Password Management goes beyond password strength. In the United States, we typically follow the NIST Guidelines. AAFCPAs provides below a summary of NIST 2021 password recommendations (NIST Special Publication 800-638 Digital Identity Guidelines) to help clients enhance their cyber security posture as it relates to password management.
- Password length is more important than password complexity. We advise clients to encourage the use of passphrases and set the maximum password field length at 20-64 characters.
- Utilizing symbols and characters in phrases as opposed to all letters. For example use the (;-) ) wink symbol in the phrase “Winking at me” instead of all letters.
- Do not enforce regular password resets. Humans follow predictable patterns. NIST recommends that password resets should only be performed if a compromise is suspected.
- Screen all new passwords against lists of commonly used and compromised passwords
- Allow pasting of passwords and the option to show password while typing. The ease these features create helps avoid user frustration and likelihood of weak passwords.
- Limit the number of failed password attempts before account lockout. Users should be locked out of their accounts after 3 or 5 failed password attempts, which can protect against brute force attacks.
- Implement 2-factor authentication. 2FA is essential to network and web security because it immediately neutralizes the risks associated with compromised passwords.
- Salt and hash passwords. The NIST password recommendations now include a requirement to salt passwords with at least 32 characters and to ensure they are hashed with a one-way key derivation function.
- Educate users about password threats and how they should respond.
AAFCPAs provides Information Risk Management & Cybersecurity solutions, including System and Organization Controls (SOC) Attestations, IT Risk Assessments, and Vulnerability Management as a Service (VMaaS). These solutions include assessments of risks related to password policies. Our IT Security Professionals advise clients to defining strong password policy requirements and selecting centralized and local password management solutions. We also advise clients on threat mitigation strategies, including secure storage and transmission of passwords, user awareness activities, and secure password recovery and reset mechanisms.