Sayers Blog

updated_default_header

Your Password Policy Should Challenge Hackers, Not Your Users

Any time a human is involved, the potential for weakened security increases.  Password policies are necessary for cybersecurity compliance; however, burdensome password policies can result in bad user behavior like password transformation.

Subscribe to Sayers Blog

 

REMEMBER WHEN - IBM published the startling statistic that human error was found to be involved in 95% of all security incidents in 2014 Cyber Security Intelligence Index”? 

 

A transformation happens when a user increments a number, changes a letter to similar-looking symbol, adds or deletes a special character or switches the order of characters.

 

Organizations can better secure their data, systems and environment by following these simple recommendations below.

 

Password Policy Do's 

THE DO'S: 

 

SIZE MATTERS 

  • The new NIST guidelines say you need a minimum of 8 characters. Better yet, NIST says you should allow a maximum length of at least 64.


USE OF A BAN DICTIONARY

  • Check new passwords against a dictionary of known-bad choices. Well known and simple passwords are susceptible to brute force and dictionary attacks. You don’t want to let people use Password, Pa$$word, admin, 123456, and so on. More research needs to be done into the best size of the banned password dictionary.


ALLOW PASTING 

  • This allows the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger passwords.


USER ABILITY TO RESET PASSWORD

  • Provide a mechanism so that users can recover their own password, unless you want to be tied to your email client or phone all day.

 

Password Policy Dont's

 

THE DONT'S:

 

 

NO COMPOSITION RULES

  • Do not force the use of particular characters or combinations (e.g. “Your password must contain one number, one lowercase letter, one uppercase letter, and four symbols but not '&%#@_'). Password complexity shouldn't be forced nor should it be invalidated.

 

NO PASSWORD HINTS

  • Just say no. It's not a good idea. Ask Adobe.

 

NO KNOWLEDGE-BASED AUTHENTICATION (KBA):

  • KBA is when a site says “Pick from a list of questions: Favorite vacation destination? Where did you attend high school? Your dog’s name?”. Data exfiltration and the proliferation of social media has weakened this option.

NO MORE EXPIRATION WITHOUT REASON:

 

Password Policy Cartoon

 

Sayers suggests leveraging a policy that follows most if not all of these recommendations. Two Factor Authentication is strongly encouraged because it increases the requirements to accomplish a successful attack. Let us help you in the creation of and/or modification of a password policy that is flexible, provides additional protection and fosters acceptance from your user community. 

 

Additional Resources: