Your Password Policy Should Challenge Hackers, Not Your Users

Posted July 23, 2019 by Greg Toler 

Any time a human is involved, the potential for weakened security increases.  Password policies are necessary for cybersecurity compliance; however, burdensome password policies can result in bad user behavior like password transformation.

SUBSCRIBE TO SAYERS BLOG

REMEMBER WHEN – IBM published the startling statistic that human error was found to be involved in 95% of all security incidents in 2014 Cyber Security Intelligence Index”? 

A transformation happens when a user increments a number, changes a letter to similar-looking symbol, adds or deletes a special character or switches the order of characters.

Organizations can better secure their data, systems and environment by following these simple recommendations below.

Password Policy Do's

THE DO’S: 

SIZE MATTERS 

  • The new NIST guidelines say you need a minimum of 8 characters. Better yet, NIST says you should allow a maximum length of at least 64.

USE OF A BAN DICTIONARY

  • Check new passwords against a dictionary of known-bad choices. Well known and simple passwords are susceptible to brute force and dictionary attacks. You don’t want to let people use Password, Pa$$word, admin, 123456, and so on. More research needs to be done into the best size of the banned password dictionary.

ALLOW PASTING 

  • This allows the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger passwords.

USER ABILITY TO RESET PASSWORD

  • Provide a mechanism so that users can recover their own password, unless you want to be tied to your email client or phone all day.
Password Policy Dont's

THE DONT’S:

NO COMPOSITION RULES

  • Do not force the use of particular characters or combinations (e.g. “Your password must contain one number, one lowercase letter, one uppercase letter, and four symbols but not ‘&%#@_’). Password complexity shouldn’t be forced nor should it be invalidated.

NO PASSWORD HINTS

  • Just say no. It’s not a good idea. Ask Adobe.

NO KNOWLEDGE-BASED AUTHENTICATION (KBA):

  • KBA is when a site says “Pick from a list of questions: Favorite vacation destination? Where did you attend high school? Your dog’s name?”. Data exfiltration and the proliferation of social media has weakened this option.

NO MORE EXPIRATION WITHOUT REASON:

Password Policy Cartoon

Sayers suggests leveraging a policy that follows most if not all of these recommendations. Two Factor Authentication is strongly encouraged because it increases the requirements to accomplish a successful attack. Let us help you in the creation of and/or modification of a password policy that is flexible, provides additional protection and fosters acceptance from your user community. 

Additional Resources: 

Addresses

  • Atlanta
    520 W Ponce De Leon Ave #1007
    Decatur, GA 30030
  • Bloomington
    1701 E Empire St Ste 360-280 Bloomington, IL 61704
  • Boston
    25 Walpole Park South, Suite 12, Walpole, MA 02081
  • Chicago
    233 S Wacker Dr. Suite 9550 Chicago, IL 60606
  • Tampa
    380 Park Place, Suite 130, Clearwater, FL 33759
  • Vernon Hills - Corporate Headquarters
    825 Corporate Woods Parkway Vernon Hills, IL 60061

Have a Question?

Contact us