Organizations are constantly challenged by password management. Security advisors always recommend longer and stronger passwords, while users bristle at each new criterion. Varying systems don’t support the same password requirements, and the different industry standards can be confusing and contradictory. And though many organizations combine password hygiene requirements and best practices, password cracking tests are still successfully cracking large percentages of password lists.
Passwords are often the weakest link in any company’s security posture. While Multi-Factor Authentication (MFA) and other types of authentication offer the promise of a better solution, they’re not always available for every implementation, and they don’t eliminate all password risks. Realistically, passwords will continue to be the first line of defense in the near future, so it’s imperative for organizations to initiate solid password policies.
Password security results from systematic construction requirements and user selection strategies. It’s easy to select passwords that meet very stringent construction requirements but are still weak against cracking, or vice versa. We’ve developed some tips for password management practices that will resist cracking attacks and keep your systems secure.
Do Something Unexpected
This is the single most important factor in password security. Assuming a password is long enough to resist brute force attacks, cracking relies on the predictable patterns of users. Think how often your passwords fit common patterns or “masks” (e.g. a capital letter, followed by lowercase letters, followed by a numeral). Oftentimes, those numerals are the current year, month, or just your incrementing counter for how many times you’ve changed the password. Maybe you added an exclamation point to fit complexity requirements. If you’re really clever, you substituted a “$” for an “S” or a “0” for an “O.” Crackers check all these patterns almost instantaneously. But they often won’t look for an errant “+” in the middle of a word, a misspelled word, or numerals woven into your words. You can still use patterns that are easy to remember, but make it unique. Don’t adopt typical patterns. There’s a massive difference in the strength between “password1” and “pa1ssword.”
Longer is Better
In terms of systematic construction requirements, password length easily overshadows the value of every other requirement. The length of a password is essentially an exponent on the number of possibilities, and every additional character makes the password exponentially stronger. For critical systems where a high level of security is needed (and particularly for your network operating system), the minimum length should be no less than 15 characters. While this can sound daunting, it also means that you can relax other password criteria. Older recommendations around expiration, complexity, reuse, etc., have relatively limited value and can actually be detrimental without effective implementation and training.
Forced Changes Are Important, But Not for the Reason You Think
Periodic expiration and forced password changes are easily the biggest headache of password management among users. Traditional password expiration intervals of 30, 60, or even 90 days can feel overwhelming, and their security value is suspect at best. Besides, doesn’t everyone just increment a number at the end of their password every time?
That said, password changes are still important. This is primarily to prevent users from recycling passwords for many years and across multiple systems for work and personal use. It’s highly likely that every user has had passwords compromised from various website breaches over the years, both reported and unreported, and that those credentials are routinely sold on the dark web. You don’t want those compromised credentials in use on your critical systems.
To prevent this, there should be a password expiration of no more than one year. Alternatively, you can force users to change passwords based on triggers rather than a regular frequency. To do this, you should actively monitor the dark web for compromised passwords, force changes when they’re detected, and also run periodic password cracking exercises and force changes on users with weak passwords (i.e. those that were successfully cracked). There are both paid and free solutions to monitor for compromised credentials, depending on how sophisticated you want to make the control.
Set Realistic Password Criteria Based on Your Security Requirements
This doesn’t mean allow weak passwords, but rather, lean on controls that are more effective and acceptable to users (such as longer passwords or Multi-Factor Authentication solutions). It also means you should de-emphasize less important controls such as frequent expiration. You might consider establishing multiple password standards that differentiate between critical systems and less risky systems, and between high-privileged users and general users.
Training and Testing
Whatever password policy you set, training users is vital to effective implementation. Users need to understand competent selection practices, regardless of your enforced construction requirements.
Don’t just train your users and assume you’re secure—periodic testing through cracking exercises is key. Use an experienced security consultant to try to crack your entire password file. You’ll see the users with weak or predictable passwords, and can have them select stronger ones. You’ll also have metrics to support your arguments about password risks. Just like phishing tests drive home the point of security awareness training, password cracking tests prove to users that weak passwords are exploitable.
Password Do’s and Don’ts
|5h/&7f||This password is highly complex and couldn’t be guessed, but with only 6 characters, it’s still highly vulnerable to brute force cracking. Also, since it likely can’t be easily remembered, it’s going to be written down somewhere.|
|Springtime2021!||This is 15 characters, but unfortunately it follows a very predictable mask: Capital letter, lowercase letters, numerals, and a final exclamation point. Hackers would likely get this easily.|
|correct horse battery staple||It’s very long and easy to remember. But using only dictionary words still leaves it vulnerable to cracking, especially with no special characters or unexpected interruptions. (Plus, we’ve all seen the xkcd comic—this password is now as commonplace as ‘password123’.)|
|$tr0ng [email protected]$$w0rd||It’s long, it’s complex, and it fits every construction requirement, but it’s still fairly simple due to the common words and obvious characters substitutions.|
|on.ce tw.ice th.rice||Long, easy to remember, and unexpected insertion of periods in the middle of words makes it difficult to crack.|
|20spring!time21||This is just a rearrangement of a bad password example, but it breaks the common masks and becomes much harder to crack.|
|#Golf/Oscar/Oscar/Delta||Very long and easy to remember, with unusual slashes and a pattern-breaking character at the beginning.|
Password management is a challenge and a constant source of friction in many organizations. Use the tips above to minimize systematic construction requirements while maximizing password strength, and put your security to the test with a password cracking exercise from experienced cybersecurity experts.