IT Solutions Blog

NIST and Microsoft Password Policy Best Practices

Written by Sean Doherty | 8/3/22 4:39 PM

Microsoft and The National Institute of Security Technology (NIST) are two of the leading resources for providing strong password policies. In this article, we discuss their recommended strategies to make sure your organization's passwords are strong enough to protect against hackers and cybercriminals. 

The NIST is responsible for developing information security standards and guidelines that all federal agencies must follow, and most cybersecurity experts choose to follow as well. Microsoft provides a unique perspective on password security by leveraging the intelligence that comes from analyzing millions of attempts to compromise username/password daily. Review both the NIST and Microsoft password guidance and recommendations to determine the best policies for your organization.

 Microsoft Password Policy Recommendations  

Microsoft has created their recommendation for Administrator Password Policies using intelligence gained from years of tracking threats including trojans, worms, botnets, phishing attacks etc. They also stress the importance of employee training to ensure that all users are educated on any password policy changes, and know how to spot the latest security threats. Microsoft recommends the following policies to provide password based identity and access management security as part of your organization's cybersecurity plan.  

Password Guidelines for Administrators

  • Maintain an 8-character Minimum Length Requirement (longer isn't necessarily better)

    Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable. For example, users who are required to have a 16-character password may choose repeating patterns likefourfourfourfourorpasswordpasswordthat meet the character length requirement but aren't hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, such as writing down their passwords, reusing them, or storing them unencrypted in their documents. To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement. 

  • Don't require Character Composition Requirements. For example, *&^%$

    Password complexity requirements can cause users to act in predictable ways, doing more harm than good. Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords. 

  • Don't require Periodic Password Resets for User Accounts

    There is evidence to suggest that users who know they will have to change their password choose weak passwords and are more likely to write them down. It may be a better approach to enforce Multi-factor authentication and then encouraging users to make the effort to create a strong password that they will be able to use for a long time.  

  • Ban Common Passwords, to keep the Most Vulnerable Passwords out of your System

    The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include:abcdefg,password,monkey. 

  • Educate your Users to not Re-Use their Organization Passwords for Non-Work Related Purposes

    One of the most important messages to get across to users in your organization is to not reuse their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cybercriminals will compromise these passwords. 

  • Enforce Registration for Multi-Factor Authentication

    Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel in the case of security events such as login attempts or changed passwords. 

  • Enable Risk-Based Multi-Factor Authentication Challenges

    Risk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they are the legitimate account owner. 

  • Passwordless Authentication is the Future

    Microsoft is inviting administrators to bring their organizations into the future by becoming familiar with what they're referring to as passwordless authentication, and it is available now. It allows users to get to applications and services faster, provides a higher level of security than passwords and eliminates the IT support costs and lost productivity that results from password resets. The 3 Microsoft passwordless authentication options available today include Windows Hello facial recognition and fingerprint scanning authentication, Microsoft Authenticator App for passwordless phone sign-in and Fido2 Security Keys that are available as US/NFC Key, USB Biometric Key or Biometric Wearables.  

 NIST Password Policy Recommendations

The NIST Special Publication 800-63B Digital Identity Guidelines, Authentication and Lifecycle Management issued in 2020 is considered the gold standard for password security. The guidelines must be followed by federal agencies, and it is strongly recommended that the NIST password recommendations should be followed by all businesses when setting password policies to ensure the security of their employee accounts and company data. The document introduced a new protocol designed to improve password security by encouraging easy to remember but hard to guess passwords, referred to as memorized secrets, while eliminating many of the password complexity requirements of the past that were proven to actually decrease security.

 Below is a summary of the top password recommendations detailed in the guidelines:  

  • Require Multi-factor Authentication

    Multi-factor authentication involves using more than one method to verify your identity. Multi-factor authentication can help protect your account from attackers even if they guess or steal your password. The attackers would not be able to access your account without also passing through the second layer of security.

  • Password Length Should Be a Minimum of 8 Characters but less than 64 Characters

    Password length requirements that require passwords to be greater than 10 characters have been proven to result in user behavior that is predictable and easy for hackers to guess. Length requirements also increase the chances that users will adopt other insecure practices, such as writing down their passwords, reusing them, or storing them unencrypted in their documents. For these reasons, NIST now recommends keeping a reasonable 8-character minimum length requirement....and most importantly require multi-factor authentication!

  • All Special Characters (Including Space) Should be Allowed But Not Required

    Special characters make your password stronger, but you can still create a strong, secure password without special characters. Making this optional and not required allows users to create passwords they are more likely to remember.

  • Eliminate Knowledge-Based Authentication (e.g. What is your Mother's Maiden Name)

    Many forms of knowledge-based authentication can be easily found on the internet. Hackers can find answers to most of the security questions asked such as birthday, educational background, and family member's names by looking through public records. It doesn't help that so many people are oblivious to the security implications of the information they freely share on social media which often gives strong clues to these common security questions. 

  • Avoid Using Personal Information When Creating a Password

    Personal information that you place on social media platforms like Facebook and Instagram make it easier for a hacker to guess your passwords. Avoid using anything that is known about you whether from public records or any information you or others may post on social media. This information may be the easiest for you to remember, but is the basis for social engineering to be used against you. Social engineering remains one of the most effective strategies used in successful ransomware attacks.

  • Eliminate Mandatory Password Changes Unless There is Evidence of Password Compromise

    One of the most important changes that NIST made is that they no longer recommend requiring regular password resets. This practice has been shown to be ineffective and actually make passwords less secure. A study by Microsoft found that users who were required to reset their passwords frequently were more likely to use weak passwords and reuse them across multiple accounts.

  • Limit Number of Failed Password Attempts

    Limiting your failed password attempts can help keep your accounts secure by preventing attackers from gaining access to them if they guess your password incorrectly too many times. This can help protect your account from brute force attacks in which hackers use sophisticated software and AI to generate millions of different combinations until they find the right one. 

  • Enable Copy and Paste Functionality in Password Fields

    NIST also recommends allowing for passwords to be able to be copied and pasted in to password fields, which although the guidelines do not require the use of  password management software, this guideline allows for their use. Password managers save all of the users passwords in a central, encrypted location and allow users to copy and paste in order to login. 

  • Require End User Training  

    Humans remain the weakest link in the information security process, providing regular training is one of the most important things organizations can do to protect against attacks targeted at their employees. 

    Additional Recommendations - Do not use:
  • Context-specific words, such as the name of the service, the username, and derivatives
  • Passwords that have been compromised in previous breaches
  • Words that can be found in the dictionary
  • Repetitive or sequential characters such ("aaaaaaaa" or "1234abcd")

Conclusion

Administrators should review the list provided by these highly credible sources and enforce the recommended policies companywide. The most important security measure recommended by both Microsoft and NIST is requiring Multi-Factor Authentication for all accounts containing company data. Based on Microsoft's studies, your account is more than 99.9% less likely to be compromised if you use MFA. 

Password Managers are simple to use and can help generate strong unique passwords and provide a secure solution so that employees don't have to remember all of their passwords. If you implement a password management solution, here are five things to keep in mind:

  • Choose a long passphrase for the master password to the password manager and protect it from being stolen. A passphrase can be made sufficiently long to protect against attacks while still allowing memorization.  
  • Create unique passwords for all accounts or use the capability of most password managers to generate random, unique, complex passwords for each account.  
  • Avoid password managers that allow recovery of the master password. Any compromise of the master password through account recovery tools can compromise the entire password vault.  
  • Use multi-factor authentication for program manager applications that allow that capability. 
  • Use the password generator capability in most password managers to generate complex, random passwords that meet your desired complexity requirements 

If you don't implement a password manager, it's important to provide users with guidance on how to choose a unique password for each of their accounts. One of the best schemes ever created which is still very effective today is from Schneier on a Security Blog Post from 2014. The blog post cited that almost anything that can be remembered can be cracked. It suggests combining a personally memorable sentence with some personally memorable tricks to modify that sentence into a unique, memorable password. This would look something like:

  • “tlpWENT2tm”      = “This little piggy went to the market”  
  • WIw7,mstmsritt.  = When I was seven, my sister threw my stuffed rabbit in the toilet. 
  • Wow…doestcst      = Wow, does that couch smell terrible. 

By addressing password policies, the security of your organization will be drastically improved.

For more cybersecurity recommendations to improve your organizations cybersecurity policies, contact IntelliSuite.

Sources:

Microsoft,  Office 365 Password policy recommendations

NIST, Authenticator and Verifier Requirements, 51. Requirements by Authenticator Type

Schneier on Security