Best Practices for Increasing Password Security
Passwords. We all have them, and most of the time many of them. Most of us have also had one compromised at one point or another too. Passwords are the gateway to our everyday systems, and our most sensitive information.
Because almost everyone relies on passwords, it is crucial that we create ones that are secure and are at lower risk of falling victim to cybercriminals.
In 2017, The National Institute of Standards and Technology (NIST) released Special Publication 800-63B, which was intended to provide technical requirements for federal agencies implementing digital identity services, including helping organizations address risks related to password management for end users. Since 2017, NIST has periodically released updates to their password guidelines. While NIST did not officially release updates to their password guidelines in 2021, and has not yet to date in 2022, below are some recommendations and best practices to consider adopting related to password management as outlined in Special Publication 800-63B:
Length Over Complexity
NIST has moved away from password complexity requirements and now recommends longer passwords. While enforcing complex passwords that contain uppercase letters, lowercase letters, numbers, and special characters should lead to the creation of stronger passwords, in practice, these requirements result in weaker passwords. As an example, the password “JohnSmith123!” would meet the complexity requirements outlined above, but is clearly not a strong password. Instead, NIST recommends the use of passphrases and setting a maximum password length of 64 characters.
Move Away From Frequent Password Resets
Inherently, we are all bad at creating secure passwords. Many of us try to create something to make it as easy as possible for us to get logged into a system and continue with our day. Some of us have a favorite password or two that we use repeatedly across multiple systems. Enforcing regular password resets does not usually help address this issue. When resetting passwords, many users often create new passwords that are almost identical to the last one used (i.e. change the last number from a “1” to a “2”).
Enforcing an increased frequency of password changes also generates more data around how passwords are created. In today’s world, cybercriminals have the ability to use data analytics and artificial intelligence to identify patterns and predict new passwords. Password resets are recommended only if there is suspicion that a password has been compromised.
Failed Password Attempts
Limiting the number of failed password attempts before an account is locked is recommended. This will help reduce the risk of brute force attacks because the cybercriminal will be limited to a number of password guesses (i.e. 3 attempts) as opposed to an unlimited number of guesses.
As an additional measure, consider logging and monitoring repeated instances of bad password guesses and account lockouts. Further, consider implementing a formal process to periodically review the logs to help identify anomalous activity for research and remediation.
Implement Two-Factor Authentication
Ensure that two-factor authentication is enforced on all accounts. This requires that an additional authentication measure be used in addition to the password. If a password is compromised, the risk of full access to the account is lower as the bad actor will not be able to gain access without the second factor.
It is important to note that not all systems have the functionality to allow the use of two-factor authentication. When evaluating prospective vendors, or current vendors, it is a good idea to ensure that the system capabilities available allow you to enforce your internal password policies.
All new passwords should be screened against the following:
- Commonly used passwords;
- Dictionary words;
- Repetitive or sequential characters (i.e. “abcdabcd”);
- Context-specific words (i.e. username also used in the password, or the system name used in the password); and
- Lists of passwords used in recent data breaches.
There are software solutions available in the marketplace for password screening.
Regardless of how long or complex your password might be, if it meets any of the criteria noted in the list above, it may still be at risk of being compromised.
Use a Password Manager and Allow Password Pasting
Because of the sheer number of passwords users have to remember on a daily basis, along with the need to create lengthy, secure passwords, it is recommended to consider the use of a password manager. Password managers can be used to store various system credentials, or even further, generate complex passwords for the end user. A key consideration here is to ensure that a reputable password manager is selected that itself provides good security over your passwords.
To complement this, allow the pasting of passwords when logging into a system. Password managers will be able to autofill the fields and make the login process more efficient and easier for end users.
The landscape of password management is continuously changing and evolving as cybercriminals continue to become smarter and find new ways to compromise individuals’ credentials.
Interestingly, Google, Apple, and Microsoft have all made a commitment for a “passwordless future”. Over the next year or so, each company will implement passwordless Fast Identity Online (FIDO) sign-in standards, which means you will no longer need a password to log into devices, websites, or applications. Alternatively, your phone will store a FIDO credential, called a passkey, to unlock your device. Passkeys are protected with cryptography and are significantly more secure than a password. Keep an eye out for a future article on this subject.
It is critical that organizations keep up with best practices and recommendations, such as those produced by NIST, as well as industry trends like those at Google, Apple, and Microsoft, to keep their systems secure and lower the risk of data breaches.
For more information, please contact Zachary Porter, or your BNN advisor.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.