Passwords- the dark necessity of the world, the prize of many bad actors, the security measure that drives users and security professionals alike insane. Special characters, 16 characters, 8 characters, use a passphrase, don’t use a passphrase they are easily guessable, don’t use an easily guessable password. The rules are maddening because there seems to be no definitive password ruling, everyone differs, but do they really? Today we’re going to take a look at passwords, how they should be crafted, protected, and exactly what to do with these pesky little identifiers.
Let’s take a look at what a few different sources suggest for password policies:
- Maintain an 8-character minimum length requirement (longer isn’t necessarily better)
- Don’t require character composition requirements. For example, *&(^%$
- Don’t require mandatory periodic password resets for user accounts
- Ban common passwords, to keep the most vulnerable passwords out of your system
- Educate your users to not re-use their organization passwords for non-work related purposes
- Enforce registration for multi-factor authentication
- Enable risk-based multi-factor authentication challenges
What’s this? Microsoft suggests only using an eight-character minimum length requirement, suggesting that longer isn’t necessarily better. This may seem insane to some security professionals, we’ve been taught the longer more complex the password the better. After all, with today’s current technology brute-forcing or breaking through an 8 character minimum password is child’s play, or dare we say even script-kiddy play? However, as it is with several things it seems that users found a way to make passwords less secure when given the guidelines of 16 character passwords.
Passwords such as “Fourfourfourfour!” began to crop up across companies worldwide and while that hits every single normal guideline, the capital letter the special character, it is an easily guessable and brute-forcible password. However a password such as say, “3xcal1bur” might be harder to brute-force.
So what do some of the top industry professionals say about password security and complexity?
- “Create unique passwords that use a combination of words, numbers, symbols, and both upper- and lower-case letters.
- Do not use your network username as your password.
- Don’t use easily guessed passwords, such as “password” or “user.”
- Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birth date, your Social Security or phone number, or names of family members.”
All of these are wonderful suggestions but as we can see his advice seems to clash with Microsoft in not using or requiring special characters. What gives? Why can we all not agree?
Yet another suggestion from the security experts at UC Santa Barbara:
- Length trumps complexity. The longer a password is, the better. Use at least 16 characters whenever possible.
- Make passwords that are hard to guess but easy to remember.
- Use MFA
Wait should we use 16 character minimums or go with what Microsoft suggests and use a minimum of 8? All of these different groups seem to have at least one, conflicting suggestion on crafting the perfect password. So who is right, and who is wrong?
The truth is none of them. No one is right and no one is wrong, the fact is the perfect password does not exist, because let’s face it most password compromises happen because users freely give them away in phishing attacks, rather than bad actors brute-forcing them. So what can you do? How can you really protect your company from bad passwords, from giving out those passwords? Well, it’s actually something that every single one of those quoted above suggests. Using Multi-factor Authentication, passwords have become a thing of the past, when used alone. We hear the term “defense in depth” constantly, yet are we really using it? Passwords and password policies are just one part of this cyber-security landscape, and much like this article we focus too much on them and how to craft the perfect one when the answers to making passwords more secure is staring us in the face, and we often overlook it.