top of page
  • Writer's pictureChaz Vossburg

Debunking Common Password Policy Myths

Didn't I just change IT?

Looking for more tips to protect your organization (and yourself)? Check out our security series, 10 Fail-Safe Tricks for Maximizing Security. We’ll be releasing new articles and videos each week for every topic. Click here to get the content directly in your inbox.

For today’s installment of 10 Fail-Safe Tips for Maximizing Security, we will discuss password policies; more specifically, the change in thinking about password policies, recommendations, and a video that shows you how to simulate a brute force attack in your environment to identify vulnerabilities.

For decades, our reliance on technology has continued to grow exponentially, driving efforts to protect the data that is stored and shared on and between devices.  Information security as an entity continues to evolve to keep pace with the inherent risks associated with sprawling network connectivity, mobility, and increased decentralization of IT.

The start of these security measures began with the advent of individual user credentials, providing a unique username and password combination for users.  A central component of this was to create password management policies with the idea of thwarting outside threats from easily accessing data.  Companies were urged to enforce two longstanding password management policies: require users to choose highly complex passwords, and change those passwords on a regular basis.  “Make the password hard to guess, and change them frequently” was the common wisdom.

Unfortunately, in retrospect it seems those longstanding password policies can very easily conflict with their original goals.  According to Microsoft, “understanding human nature is critical because research shows that almost every rule you impose on your users will result in a weakening of password quality.” Length requirements, special character requirements, and password change requirements all result in normalization of passwords, making it easier for attackers to guess or brute force your passwords.  Let’s examine a few common approaches and how they can negatively impact your organization.

Password Expiration Requirements

These do more harm than good because the requirements make users select predictable passwords, often sequential words and numbers that are closely related.  The next password can be predicted based on the previous password, as a pattern is easily discernible. For example, a user starts with “Stardust” as their password, and with each expiration simply adds the next sequential number in order to keep it easy to remember (i.e. “Stardust1234”)

Requiring Long Passwords

Excessive password length requirements can also result in predictable behavior by users.  The longer the minimum requirement, the more likely users will choose repeating patterns that meet the character length minimum but are easier to remember.  Additionally, these length requirements increase the chances that users write passwords down, re-use them, or otherwise engage in insecure practices.  Social engineering can flourish when users forget the purpose of security measures.  Microsoft currently recommends a minimum password length of 14 characters.

Requiring the Use of Multiple Character Sets

Again, predictability is the issue here.  Requiring a series and minimum of uppercase/lowercase/non-alphanumeric characters will often encourage people to follow similar patterns.  For example, a capital letter in the first position, a number or numbers toward the end, and a symbol in the last position.  Cyber criminals know this, so they can run dictionary attacks using common substitutions, “$” for “s”, “@” for “a”, or “1” for “l”.

Now that we’ve busted the top password security myths, let’s take a look at today’s best practices for password management.

Ban Common Passwords

As we’ve discussed, users often utilize common words to create passwords, making them quite vulnerable.  But how do you manage a list of ‘common’ words without creating overly strict policies and perpetuating the original issue? In Azure Active Directory, you can utilize Microsoft’s custom banned password list to add strings to evaluate and block, in addition to the global banned password list, when users and administrators attempt to change or reset a password.  Click here to learn how to easily configure the custom list.

Advise Users Against Password Re-Use

While tech companies constantly try to simplify password security (like with the rise in facial recognition software), users still manage an abundance of passwords, both at work and personally. As such, password re-use is an extremely common security malpractice. Be sure to educate users to keep work-specific passwords within company programs. And, better yet, encourage them to use a different password for every application, both professionally and personally. Linking them to password keepers, like LastPass, can lessen the anxiety around increased password management.

Implement Multi-Factor Authentication (MFA)

In addition to implementing MFA, you should enforce MFA registration and enable risk-based MFA.  Registration requires users to maintain updated contact and security information, so they can respond to security challenges, and allows them to verify their identity if they ever forget their password, or if an account becomes compromised.  Risk-based MFA ensures that when the system detects suspicious activity, it can challenge the user to ensure account ownership.  To learn more, see Set up multi-factor authentication.

With end-users being the last line of defense in the ever-evolving cyber battle, user education is now more important than ever.  Click here to schedule your free security assessment and to learn more about Wellforce’s end-user security training and awareness programs.


Recent Posts
bottom of page