Microsoft and The National Institute of Security Technology (NIST) are both recognized as leading authorities for providing password policy best practices. Learn how their recommended strategies can help you strengthen your password policies to protect against hackers and cybercriminals.
Password Best Practices
Ensuring robust password practices is essential for safeguarding an organization's data and systems. The National Institute of Standards and Technology (NIST) sets the information security standards for the federal government, and its password guidelines are mandatory for federal agencies. These guidelines are also widely adopted by commercial organizations as best practices for password policies. Microsoft, with its vast experience in analyzing millions of daily attempts to breach username/password combinations, offers a unique perspective on password security. By reviewing both NIST and Microsoft password best practices, you can determine the most effective password policies for your organization.
Microsoft Password Policy Recommendations
Microsoft has created their recommendation for Administrator Password Policies using intelligence gained from years of tracking threats including trojans, worms, botnets, phishing attacks etc. According to Microsoft, the primary goal of a more secure password system is password diversity, you want your password policy to contain lots of different and hard to guess passwords. They stress the importance of employee training to ensure that all users are educated on any password policy changes and know how to spot the latest security threats. Microsoft recommends the following policies to provide password-based identity and access management security as part of your organization's cybersecurity plan.
-
Enable MFA, and risk based multi-factor authentication challenges
Microsoft strongly advocates for the use of MFA and recommends enabling risk-based MFA challenges to enhance security. Risk-based multi-factor authentication ensures that when Microsoft's system detects suspicious activity, it can challenge the user to ensure that they are the legitimate account owner. -
Maintain an eight-character minimum length requirement
To encourage users to think about a unique password, Microsoft recommends keeping a reasonable eight-character minimum length requirement for regular users, provided MFA is enforced. The recommended minimum password length for Admin passwords if fourteen characters. -
Don't require character composition requirements such as: *&(^%$
Password complexity requirements can cause users to act in predictable ways, doing more harm than good. Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters have a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords and force them into coming up with less secure and less memorable passwords. -
Don't require mandatory periodic password resets for users
There is evidence to suggest that users who know they will have to change their password choose weak passwords and are more likely to write them down. It may be a better approach to enforce multi-factor authentication and then encouraging users to make the effort to create a strong password that they will be able to use for a long time. -
Ban common passwords to keep the most vulnerable passwords out of your system
The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include: abcdefg, password, monkey. -
Educate your users to not reuse their organization passwords for nonwork related purposes
One of the most important messages to get across to users in your organization is to not reuse their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cybercriminals will compromise these passwords. -
Enforce registration for multi-factor authentication
Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel in the case of security events such as login attempts or changed passwords. -
Implement single sign-on (SSO)
To allow users to access multiple applications or systems with one set of login credentials. Instead of remembering different usernames and passwords for each service, users can log in once to their Microsoft 365 account, for example, and gain access to all the integrated applications without even having to know the passwords for each. -
Passwordless Authentication is the Future
Microsoft is inviting administrators to bring their organizations into the future by becoming familiar with what they're referring to as passwordless authentication, and it is available now. It allows users to get to applications and services faster, provides a higher level of security than passwords and eliminates the IT support costs and lost productivity that results from password resets. The 3 Microsoft passwordless authentication options available today include Windows Hello facial recognition and fingerprint scanning authentication, Microsoft Authenticator App for passwordless phone sign-in and Fido2 Security Keys that are available as US/NFC Key, USB Biometric Key or Biometric Wearables.
NIST Password Policy Recommendations
NIST's latest guidelines, outlined in NIST Special Publication 800-63B , "Digital Identity Guidelines", emphasize simplicity and effectiveness in password management. Issued on March 2, 2020, it is considered to be the gold standard for password security. The guidelines must be followed by federal agencies, and it is strongly recommended that the NIST password recommendations should be followed by all businesses when setting password policies to ensure the security of their employee accounts and company data. The document introduced a new protocol designed to improve password security by encouraging easy to remember but hard to guess passwords, referred to as memorized secrets, while eliminating many of the password complexity requirements of the past that were proven to actually decrease security. Below is a summary of the top password recommendations detailed in the guidelines:
- Require Multi-factor Authentication
Multi-factor authentication involves using more than one method to verify your identity. Multi-factor authentication can help protect your account from attackers even if they guess or steal your password. The attackers would not be able to access your account without also passing through the second layer of security.
- Password Length Should Be a Minimum of 8 Characters but less than 64
Password length requirements that require passwords to be greater than 10 characters have been proven to result in user behavior that is predictable and easy for hackers to guess. Length requirements also increase the chances that users will adopt other insecure practices, such as writing down their passwords, reusing them, or storing them unencrypted in their documents. For these reasons, NIST now recommends keeping a reasonable 8-character minimum length requirement....and most importantly require multi-factor authentication! - All Special Characters (Including Space) Should be Allowed but Not Required
Special characters make your password stronger, but you can still create a strong, secure password without special characters. Making this optional and not required allows users to create passwords they are more likely to remember.
- Eliminate Knowledge-Based Authentication (e.g. What is your Mother's Maiden Name)
Many forms of knowledge-based authentication can be easily found on the internet. Hackers can find answers to most of the security questions asked such as birthday, educational background, and family member's names by looking through public records. It doesn't help that so many people are oblivious to the security implications of the information they freely share on social media which often gives strong clues to these common security questions.
- Avoid Using Personal Information When Creating a Password
Personal information that you place on social media platforms like Facebook and Instagram make it easier for a hacker to guess your passwords. Avoid using anything that is known about you whether from public records or any information you or others may post on social media. This information may be the easiest for you to remember, but is the basis for social engineering to be used against you. Social engineering remains one of the most effective strategies used in successful ransomware attacks.
- Eliminate Mandatory Password Changes Unless There is Evidence of Password Compromise
One of the most important changes that NIST made is that they no longer recommend requiring regular password resets. This practice has been shown to be ineffective and actually make passwords less secure. A study by Microsoft found that users who were required to reset their passwords frequently were more likely to use weak passwords and reuse them across multiple accounts.
- Limit Number of Failed Password Attempts
Limiting your failed password attempts can help keep your accounts secure by preventing attackers from gaining access to them if they guess your password incorrectly too many times. This can help protect your account from brute force attacks in which hackers use sophisticated software and AI to generate millions of different combinations until they find the right one.
- Enable Copy and Paste Functionality in Password Fields
NIST also recommends allowing for passwords to be able to be copied and pasted in to password fields, which although the guidelines do not require the use of password management software, this guideline allows for their use. Password managers save all of the users passwords in a central, encrypted location and allow users to copy and paste in order to login.
- Require End User Training
Humans remain the weakest link in the information security process, providing regular training is one of the most important things organizations can do to protect against attacks targeted at their employees.
-
Do Not Allow Commonly-Used, Expected, or Compromised Passwords
Examples include:
- Passwords obtained from previous breaches
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
To make the best decisions on what password policies to implement, Administrators should review the recommendations provided by both of these highly credible sources and enforce strong password policies companywide. The most important security measure recommended by both Microsoft and NIST is requiring Multi-Factor Authentication for all accounts containing company data. Based on Microsoft's studies, your account is more than 99.9% less likely to be compromised if you use MFA. Although many of their recommendations are the same, both Microsoft and NIST have some unique recommendations which, if implemented, will make your security more robust.
If you're looking for help providing users with guidance on how to choose a unique password for each of their accounts, one of the best schemes ever created which is still very effective today is from Schneier on a Security Blog Post from 2014. The blog post cited that almost anything that can be remembered can be cracked, which is true. It suggests combining a personally memorable sentence with some personally memorable tricks to modify that sentence into a unique, memorable password. This would look something like:
- “tlpWENT2tm” = “This little piggy went to the market”
- WIw7,mstmsritt. = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst = Wow, does that couch smell terrible.
Password policies should be reviewed regularly to make sure you're following leading practices to secure your organizations data, and user training should be done regularly to keep security top of mind for all employees.
To get answers to your cybersecurity questions or to learn how to improve the security of your network, talk to one of our engineer's today:
Sources:
Microsoft, Office 365 Password policy recommendations
NIST, Authenticator and Verifier Requirements, 51. Requirements by Authenticator Type