Password Policy Requirements
Update: NIST Password Complexity Guidelines have changed, read more here.
Introduction
Emmert Wolf once wrote “A man is only as good as the tools he uses”, and it rings true to this very day. However, I’d like to flip the script and say that; “A tool is only as good/useful as the man using it”. Have you ever found yourself having to fix something in your house, having all the tools necessary at your disposal, but ending up phoning your dad, uncle, or friend to explain the right process & approach?
I think we all have.
What this ultimately means is that it doesn’t matter how much the tool/software costs you or even how many functions and features the tool has to offer you, you just won’t get the most out of it if you’re not educated in what you’re working with. It’s more about the user having the right insight, skill, and education being put to use than the abilities and functionalities of the tool.
We often hear from our customers that MyPass falls into this category. MyPass SSPR is an incredibly powerful piece of software that has the potential to ease the user’s working environment and experience, but more so when the users are well-educated in its functionality of it. Our goal is that with these blogs & resources made available to you on our MyPass site, you’d easily achieve the results you seek in your company.
Isn’t The Password Generation Dying Out?
A passwordless future is one of the highest trending topics in password security at the moment. Many leading companies such as Microsoft, Apple, and Google have introduced their versions of a passwordless model, but have experienced extremely slow adoption since 2004 when it was first announced. There are many challenges and issues around a passwordless future and why passwords aren’t dead yet. To read up more on this and what MyPass has to say, visit our article “The Future of Going Passwordless“.
Why a Strong Password Policy Is Required
Look, we’re not trying to place fear in you or challenge your password-changing routine. But, research & studies have proven how hackers have found quick and easier ways to gain access to poorly managed accounts. Forcing users to periodically change their passwords on a routine basis will minimize the likelihood of any compromised passwords or attacks. Here are more reasons for having a good password policy:
Preventing Secretive Access
It’s not always obvious when someone has access to your account. Hackers occasionally gain access, either to monitor vital information or steal data over time. By changing your password consistently, you’re reducing the risk of people having frequent access to your accounts.
Limiting Guesswork
By using the same password for long durations, you increase the risk of someone potentially guessing your password correctly. Whether it’s someone that’s watched physically typing in your password a number of times or someone repeatedly trying to guess it, the longer you keep the same password, the higher the chances of people trying to find out what it is. Applying strict password policies will prevent your end-users of using short, easy-to-guess words or phrases.
Saved Password Abuse Protection
Switching devices with other people or removing old computers without reformatting the hard drive can be dangerous. It’s possible that anyone who uses your old device/computer can gain access to your previously saved passwords. Consistently changing your passwords will mean that even if someone has found old passwords on an unformatted device, they will no longer be relevant or useful to them.
These are only some of the reasons MyPass encourages a regular password change policy to be implemented in your company.
Common Approaches With Substandard Results
The key to a good password policy is to first examine common and previously used approaches with their negative impacts.
Requiring Password Changes Too Regularly
Update: NIST Password Complexity Guidelines have changed, read more here.
Users who change their passwords frequently end up taking shortcuts, and in the process unintentionally make their passwords weaker and more easily hackable.
Long Passwords
Password length requirements that require users to have a 12-16 character password, may lead to predictable and undesirable results. For example, repeating patterns like “June18June18” or “passwordpassword” might meet the character length requirement, but aren’t hard to guess. Additionally, other bad practices are also adopted, such as users writing their passwords down, re-using them, or storing them unencrypted in their documents or notes.
The Use of Multiple Character Sets
Update: NIST Password Complexity Guidelines have changed, read more here.
Password complexity requirements, require users to use different character types, reduce key space and cause users to act in predictable ways. Many systems or companies, enforce some level of password complexity requirements. For example, passwords need characters from all three of the following categories:
- Uppercase characters
- Lowercase characters
- Non-alphanumeric characters
The issue is, that people tend to use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals are aware of this and run their dictionary attacks using the most common substitutions, “$” for “s”, “@” for “a,” and “1” for “l”. Some complex requirements even prevent users from using secure and memorable passwords and force them into coming up with less secure and less memorable passwords. This then ultimately results in users getting frustrated and forcing a password reset.
Successful Approaches
In contrast, here are some approaches MyPass suggests to formulating a strong password policy.
Restrict Common Words
The most important password requirement you should include in your company password policy when users create passwords is to ban the use of common words to reduce your organization’s vulnerability to password attacks. Common user passwords include: “abcdefg”, “password”, “mypass” etc.
MyPass Password Filter is a feature specifically designed for filtering out and eliminating bad passwords. Password Filter is an add-on feature to MyPass SSPR, but can also be implemented as a stand-alone service.
Re-using Company Passwords Elsewhere
One of the most important policies to stress to your users is the re-using of organization passwords anywhere else. The use of organization passwords on external websites greatly increases the possibility for cyber criminals to capture these passwords.
Enabling Multi-Factor Authentication
Multi-factor authentication is a must in any password policy. At MyPass we provide various multi-factor authentication gates within the platform. These integrate with existing solutions within each customer or can be served from the MyPass Cloud. These MFA gates include:
- Google Authenticator (TOPT)
- Microsoft Authenticator (TOPT)
- LastPass Authenticator (TOPT)
- Duo Security (TOPT)
- Duo Security (Push Notification)
- Email OTP
- Text Message OTP
So Why Should I Care?
You might ask yourself, there are some of these issues surfacing in my company currently & I can implement these guidelines as password policies in my company, but do I NEED them?
MyPass SSPR is an incredibly powerful piece of software that has the potential to ease the user’s working environment and experience, but more so when the users are well-educated in its functionality of it. Our goal is that with every approach we’ve covered, putting together the perfect password policy for your company will enable you to easily achieve the results you seek in your company.
More Info
For more information about how MyPass Password Manager or MyPass Password Filter can help your company implement a strong password policy, navigate to www.mypass.co.za.