Password security: Tips for creating a better policy

Everything you need to know about how to keep your systems secure using passwords.
Written by Nick Heath, Contributor
Image: Getty Images/iStockphoto

In recent years the received wisdom on passwords -- that they need to be complex, lengthy, and changed frequently -- has begun to be challenged.

These type of passwords are not only potentially insecure, but following these guidelines can open up major holes in an organization's defences.

Leading security figures in the US and the UK have said it's time for businesses to look beyond the traditional advice and consider approaches to password security that work in practice, not just in theory.

Here's what you need to know to put together a robust password policy for your firm.

Don't require regular password changes

Although many organizations follow the advice of forcing staff to change passwords every 30 to 90 days, the practice "carries no real benefit", according to guidelines from the UK's National Cyber Security Centre (NCSC), due to the fact stolen passwords are generally "exploited immediately".

Such a policy can even reduce security, due to users using variations of the same or similar passwords, or choosing the simplest password possible in order to minimize the hassle. That employees would choose the most straightforward password they can is hardly surprising, according to Dr Ian Levy, technical director at the NCSC, who says that once you take into account the myriad services the average person uses each day, forcing staff to make frequent changes is akin to asking them to "remember a different 660-digit number every month".

Download now:Password management policy (Tech Pro Research)

One way to limit password reuse is by forbidding choices too similar to previous passwords. "Storing password history and checking their next password against their previous password gives companies a bit more ability to enforce, to ensure that every password is in fact unique from the previous one," says Merritt Maxim, principal analyst serving security and risk professionals at Forrester.

However, instead of forcing frequent changes on workers, the NCSC advises monitoring logins to detect unusual activity and notifying users of attempted logins -- with the expectation they report any they weren't responsible for.

In short, you should only ask users to change their password if you suspect it has been compromised, according to the NCSC.

Choose technical defences over complex passwords

The NCSC says that requiring users to devise lengthy and complex passwords composed of multiple types of characters often fails to achieve the desired security, due to people using predictable strategies to meet the requirements.

"The security benefit is marginal while the user burden is high," the NCSC guidelines state.

People will typically look for shortcuts when asked to choose complex passwords, reusing the same option multiple times or choosing predictable strategies, such as replacing the letter 'o' with a zero.

Attackers are aware of this behavior and seek to exploit it via brute-force attacks, which will prioritise frequently used words and common character substitutions.

Instead of enforcing a complex password, the NCSC recommends systems that companies should:

  • Defend against automated guessing attacks, such as locking the account after a certain number of failed guesses or limiting the rate at which passwords can be submitted. When locking accounts in the event of multiple password guesses, allowing 10 attempts strikes a good balance between security and usability.
  • Blacklist common password choices.
  • Monitor logins to detect unusual use and to notify users with details of logins, successful and unsuccessful.

Encourage the use of these type of passwords

Good choices for striking a balance between memorability and security are passphrases, four random dictionary words or CVC-CVC-CVC (consonant-vowel-consonant) passwords.

Train staff to avoid common pitfalls

Even if your company requires a complex password, that doesn't prevent users from undermining security by choosing easy-to-guess options.

Training and post-training FAQs should warn staff about common mistakes when choosing passwords, such as:

  • Basing it on personal information.
  • Using simple dictionary words.
  • Relying on predictable keyboard sequences, for example, QWERTY.
  • Reusing passwords across multiple services -- especially between work and home. This is particularly an issue in the modern world where the average adult is estimated to have about 25 online accounts.

Forrester's Maxim says firms should also stress the reasons for changes to password policy. "If context is provided around the reason for the changes, users are much more accepting of it," he says.

It's also important to ensure that your outsourcing companies meet internal data protection and password security standards by stipulating compliance in their contracts.

Minimise your use of passwords

Do everything you can not to overload staff with password-protected systems.

  • Only password protect systems where access needs to be securely controlled.
  • Consider alternatives that make it easier for staff to manage passwords, such as single-sign on or password synchronisation.
  • Help staff remember passwords by providing a suitable way for them to store passwords, either physically, in a secure filing cabinet, or digitally, via password management software. Gartner highlights LastPass Enterprise, Keeper Business and Dashlane Business as being among the few business-targeted password managers available. Forrester singles out Lieberman Software and ManageEngine, while also recommending checking for integration with other Identity and Access Management Systems (IAM) and, in the case of Microsoft shops, with Active Directory. However, be aware that password management software is a tempting target for hackers. Buying a separate password management tool may not be needed as these tools are often included as part of web access management products or identity-as-a-service and IT service desk offerings.
  • Consider using Privileged Access Management technologies to help control and manage passwords and secure access to systems.

Pick the right kind of machine-generated passwords

If your company is choosing to issue staff with machine-generated passwords, it's important to be aware of the potential downsides.

Choose a system that generates passwords that are easy for users to remember while still being relatively secure, otherwise you increase the risk of users storing passwords in an insecure fashion.

Now read: How to build a successful career in cybersecurity (free PDF)

As with user-chosen passwords, examples of the type of passwords that strike the correct balance, according to the NCSC, are passphrases, four random dictionary words, or CVC-CVC-CVC (consonant-vowel-consonant) passwords. It recommends letting users choose the password they find the most memorable from those generated.

Don't share passwords between users

Sharing passwords is not only a security risk but removes the ability to reliably audit a user's actions in the event of an issue.

The NCSC recommends using a hardware token, such as an RFID badge, as a better alternative to passwords for controlling access to shared systems.

Change default passwords

Always change factory-set or default passwords on systems before they are deployed. Where you're uncertain over whether they've been changed, run a check for any instances of default passwords being used.

Put extra protections in place for remote users and admins

Given administrator accounts will have broad permissions to make changes across the corporate network, these accounts should not be used to carry out less important and potentially risky day-to-day tasks, such as browsing the internet and checking email.

Instead create a separate account with fewer privileges for admins to use for non-administrative, everyday activities.

According to the Gartner report Four Kinds of Password Management, it's not only the passwords that need to be carefully considered, but also the reset policy, with a requirement that reset policies are designed to resist social engineering and other attacks against administrators.

Users logging into systems remotely over VPN or to systems such as webmail should also be required to log in using some form of two-factor authentication (2FA) alongside their password.

Passwords should never be stored as plain text

Passwords should be hashed and salted -- that is, be mixed with random data before being run through a one-way cryptographic function that converts them into a 'hash'.

Run periodic searches within documents, emails, and spreadsheets for plain-text passwords. These can often be located out by searching for tell-tale strings such as 'password'.

Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 or SHA1.

Make sure your password policy meets regulatory standards

Remember to check that your password policy meets the applicable regulatory and audit requirements for your firm.

Don't forget about legacy systems

Forrester's Maxim points out that large companies need to consider whether older systems can meet the firm's password requirements, for example demanding use of special characters.

"Those kind of passwords may not work for some legacy systems," he says.

"So you need to understand whether your policy will be supported in every kind of system in your environment, and if there are ones where it doesn't work, you need to find ways around that."


National Lottery: 10 million players told to change passwords as attackers hit online accounts
Unauthorised access to accounts -- gained through 'credential stuffing' attacks -- was discovered during security monitoring, says parent company Camelot.

Rid yourself of password hassles with an Everykey for $99
Normally $165, and with extra discounts on volume purchases, this tiny dongle promises to simplify password management once and for all.

Espionage malware snoops for passwords, mines bitcoin on the side
Operation PZChao targets US and Asian organisations with cyber-attacks reminiscent of Iron Tiger -- but this time with the ability to drop trojans, conduct espionage, and mine bitcoin.

Password manager maker Keeper hit by another security snafu
The exposed server contained the company's downloadable software.

New IoT security rules: Stop using default passwords and allow software updates
New rules set out best practice for IoT devices, but are the makers going to listen?

IBM Security Report: Millennials are moving beyond the password (TechRepublic)
Millennials, often accused of disregarding security, are early adopters of biometric and other forms of passwordless authentication, says IBM Security's Limor Kessem.

Editorial standards