Password Policies… how to do it right

password policy best practice
password policy best practice

Anyone whose worked in a corporate or enterprise environment at a point in their career will know how annoying password policies are. Every 30 / 60 / 90 the dreaded toaster icon telling you that your password will be expiring soon. That toaster literally sends shivers down my spine.

Why I hear you ask? Well… Not only do I need to think of a new password but an almost certainly going to lock my account out (a few times) because I’ll be logged on to a virtual desktop somewhere with outlook and Skype open. Or have a scheduled task running with saved credentials. It’ll also take me days if not weeks to master my new complex password.

And herein lies the flaw with regards to password expiration policies. Humans are very bad at remembering complex letter, number and symbol combinations that should all be present in your password. Think about it… it’s hard enough to remember your mother in laws birthdate now try and remember a 15+ character complex password that has to change every month or two. People are also notoriously lazy so instead of trying to create a new complex password they simple start adding numbers to the end. P@ssw0rd! Very quickly becomes P@ssw0rd1! Then P@ssw0rd2!, etc. So if for some reason a password is compromised how long do you think it will take for a criminal to guess that if your password was 43 last month it’ll be 44 this month? Exactly 2 seconds! It’ll be the very first password they try.

So here is my guidance to people reading…

  1. Enforce password complexity requirements. The more complex a password is the better.
  2. Enforce a minimum 15 character password. This is extreme but 15 characters is a great point to aspire towards. If it’s unattainable at least push for 12 or more.
  3. Enforce a password lockout policy to lock passwords after 10 bad password attempts. I’ve found that any less than 5 and you’ll be dealing with a shed load of account lockouts. Aim for somewhere between 5 and 15.
  4. DON’T force a maximum password age and if you must set it to something high like 12 months.

Why do I recommend this? Sure a 15+ character will initially go down like a cold bucket of sick but people will eventually get used to it. They’ll also be more likely to accept the policy if they know they won’t have to change it for 12 months or more.

The other two things you should absolutely be doing to protect your users

  1. Using multiple factor authentication wherever possible. A username and password is not enough to provide access to an account.
  2. Provide users with a password manager and encourage them to use a unique strong password for every single password both at home and work. After all if my password for my yahoo account were Jessica27 it’s probably a good guess that my corporate domain password is a variant of this.

Computers are continually getting faster and better at performing complex calculations and operations like brute force attacks but by current estimates, my complex password of “ek>YD3$tm2G4t>R” won’t be cracked in my lifetime and I’m good with that.