In recent years the received wisdom on passwords -- that they need to be complex, lengthy, and changed frequently -- has begun to be challenged.
These type of passwords are not only potentially insecure, but following these guidelines can open up major holes in an organization's defences.
Leading security figures in the US and the UK have said it's time for businesses to look beyond the traditional advice and consider approaches to password security that work in practice, not just in theory.
Here's what you need to know to put together a robust password policy for your firm.
Don't require regular password changes
Although many organizations follow the advice of forcing staff to change passwords every 30 to 90 days, the practice "carries no real benefit", according to guidelines from the UK's National Cyber Security Centre (NCSC), due to the fact stolen passwords are generally "exploited immediately".
Such a policy can even reduce security, due to users using variations of the same or similar passwords, or choosing the simplest password possible in order to minimize the hassle. That employees would choose the most straightforward password they can is hardly surprising, according to Dr Ian Levy, technical director at the NCSC, who says that once you take into account the myriad services the average person uses each day, forcing staff to make frequent changes is akin to asking them to "remember a different 660-digit number every month".
One way to limit password reuse is by forbidding choices too similar to previous passwords. "Storing password history and checking their next password against their previous password gives companies a bit more ability to enforce, to ensure that every password is in fact unique from the previous one," says Merritt Maxim, principal analyst serving security and risk professionals at Forrester.
However, instead of forcing frequent changes on workers, the NCSC advises monitoring logins to detect unusual activity and notifying users of attempted logins -- with the expectation they report any they weren't responsible for.
In short, you should only ask users to change their password if you suspect it has been compromised, according to the NCSC.
Choose technical defences over complex passwords
The NCSC says that requiring users to devise lengthy and complex passwords composed of multiple types of characters often fails to achieve the desired security, due to people using predictable strategies to meet the requirements.
"The security benefit is marginal while the user burden is high," the NCSC guidelines state.
People will typically look for shortcuts when asked to choose complex passwords, reusing the same option multiple times or choosing predictable strategies, such as replacing the letter 'o' with a zero.
Attackers are aware of this behavior and seek to exploit it via brute-force attacks, which will prioritise frequently used words and common character substitutions.
Instead of enforcing a complex password, the NCSC recommends systems that companies should:
Defend against automated guessing attacks, such as locking the account after a certain number of failed guesses or limiting the rate at which passwords can be submitted. When locking accounts in the event of multiple password guesses, allowing 10 attempts strikes a good balance between security and usability.
Blacklist common password choices.
Monitor logins to detect unusual use and to notify users with details of logins, successful and unsuccessful.
Encourage the use of these type of passwords
Good choices for striking a balance between memorability and security are passphrases, four random dictionary words or CVC-CVC-CVC (consonant-vowel-consonant) passwords.
Train staff to avoid common pitfalls
Even if your company requires a complex password, that doesn't prevent users from undermining security by choosing easy-to-guess options.
Training and post-training FAQs should warn staff about common mistakes when choosing passwords, such as:
Basing it on personal information.
Using simple dictionary words.
Relying on predictable keyboard sequences, for example, QWERTY.
Reusing passwords across multiple services -- especially between work and home. This is particularly an issue in the modern world where the average adult is estimated to have about 25 online accounts.
Forrester's Maxim says firms should also stress the reasons for changes to password policy. "If context is provided around the reason for the changes, users are much more accepting of it," he says.
It's also important to ensure that your outsourcing companies meet internal data protection and password security standards by stipulating compliance in their contracts.
Minimise your use of passwords
Do everything you can not to overload staff with password-protected systems.
Only password protect systems where access needs to be securely controlled.
Consider alternatives that make it easier for staff to manage passwords, such as single-sign on or password synchronisation.
Help staff remember passwords by providing a suitable way for them to store passwords, either physically, in a secure filing cabinet, or digitally, via password management software. Gartner highlights LastPass Enterprise, Keeper Business and Dashlane Business as being among the few business-targeted password managers available. Forrester singles out Lieberman Software and ManageEngine, while also recommending checking for integration with other Identity and Access Management Systems (IAM) and, in the case of Microsoft shops, with Active Directory. However, be aware that password management software is a tempting target for hackers. Buying a separate password management tool may not be needed as these tools are often included as part of web access management products or identity-as-a-service and IT service desk offerings.
As with user-chosen passwords, examples of the type of passwords that strike the correct balance, according to the NCSC, are passphrases, four random dictionary words, or CVC-CVC-CVC (consonant-vowel-consonant) passwords. It recommends letting users choose the password they find the most memorable from those generated.
Don't share passwords between users
Sharing passwords is not only a security risk but removes the ability to reliably audit a user's actions in the event of an issue.
The NCSC recommends using a hardware token, such as an RFID badge, as a better alternative to passwords for controlling access to shared systems.
Change default passwords
Always change factory-set or default passwords on systems before they are deployed. Where you're uncertain over whether they've been changed, run a check for any instances of default passwords being used.
Put extra protections in place for remote users and admins
Given administrator accounts will have broad permissions to make changes across the corporate network, these accounts should not be used to carry out less important and potentially risky day-to-day tasks, such as browsing the internet and checking email.
Instead create a separate account with fewer privileges for admins to use for non-administrative, everyday activities.
According to the Gartner report Four Kinds of Password Management, it's not only the passwords that need to be carefully considered, but also the reset policy, with a requirement that reset policies are designed to resist social engineering and other attacks against administrators.
Users logging into systems remotely over VPN or to systems such as webmail should also be required to log in using some form of two-factor authentication (2FA) alongside their password.