With data breaches on the rise, organizations must ensure they have a strong password policy in place to secure sensitive information. However, with increasing cyber threats, many password policies employed today may not be robust enough for 2024 and beyond. Let’s take an in-depth look at what constitutes a strong password policy and how you can evaluate if your current policy needs updating.
Why Passwords Remain Important for Authentication
Despite the rise of multi-factor authentication (MFA) and biometric logins, passwords are still the first line of defense for most systems. Passwords are simple for users to implement and manage. For IT teams, passwords can be an effective way to control access across applications and devices.
However, the risks of weak passwords are well known:
-
Weak passwords are easy for cybercriminals to guess using brute force tools or via credential stuffing attacks.
-
Employees often reuse passwords across personal and work accounts, allowing access to business systems if their personal accounts are breached.
-
Short expiration periods and complex requirements lead to password fatigue, causing users to choose weak passphrases that are easy to remember.
While supplementing passwords with MFA adds critical protection, well-designed password policies are still necessary as the primary gatekeeper.
Critical Components of a Strong Password Policy
An effective password policy contains controls to maximize strength while balancing usability for employees. Key elements include:
Length and Complexity
Longer passwords with multiple character types are harder to crack. I recommend minimum 10 characters, combining upper and lowercase letters, numbers, and symbols.
However, requiring too much complexity can backfire, with users defaulting to easy patterns. The focus should be on length over strict composition rules.
Rotation Frequency
Frequent forced resets, like every 90 days, frustrate users and lead to predictable patterns. I suggest resets every 6-12 months to balance security and usability.
Also consider letting users keep the same password if it meets strength requirements, as periodic changes offer minimal additional protection.
Blacklisted Passwords
Maintain and enforce a blacklist of the most common passwords and variants. This prevents easily guessed passwords like Password1.
Multi-Factor Authentication (MFA)
augment passwords with MFA across all critical systems. MFA ensures someone needs more than a password to gain access, by requiring an additional verification like biometrics or a one-time code.
Password Managers
Encourage and potentially provide a password manager to employees to generate and store strong unique passwords securely. This reduces password reuse risks.
Account Lockouts
Lock user accounts after a reasonable number of incorrect login attempts, such as 5-10, to prevent brute force attacks. But balance this against productivity impacts.
Additional Password Policy Tips
Here are some additional best practices to consider when evaluating your password policy:
- Ban password hints that provide user account details. Attackers can leverage these to guess credentials.
- Limit password attempts on high-value systems like finance applications to just 3-5 to block brute force attacks.
- Train employees on password policies and importance of unique complex passwords for work accounts. Renew training annually.
- For critical systems, require password changes upon events like employee termination or privileged role changes.
- Enforce longer passwords of 12 characters or more for users with administrative privileges or access to sensitive data.
- Block common passwords and other easily guessed words like company name, city, student IDs, etc.
- Leverage single sign-on (SSO) to minimize number of passwords employees need across systems and encourage longer passphrases.
Assessing Your Current Password Policy
When auditing your existing policy, consider these questions:
- How often are passwords required to change? Are users frustrated with frequent resets?
- Are minimum length and complexity standards sufficient? Too complex?
- Are passwords screen against common blacklisted terms? How often is the blacklist updated?
- Is multi-factor authentication used to supplement passwords? For which systems?
- Are passwords managed securely via a password manager?
- How many login attempts before lockout? Is this appropriate for each system?
- How quickly can passwords be reset? Is self-service an option?
Examining these facets will reveal where your policy may need strengthening to meet modern password best practices and threats. Be sure to also evaluate third parties to ensure they have adequate policies if accessing your systems and data.
Conclusion
While no password policy can fully prevent breaches, organizations can apply these password security principles to make attacker’s jobs much harder. Evaluating your policies with today’s guidelines and threats in mind ensures your organization has strong defenses in place before 2024 arrives. With cyber risks only growing, taking the time to audit password controls and user education will pay dividends in limiting business risk.
