Modern IT system administrators know the importance of maintaining a strong password policy. In this article, we’ll explore the evolution of password policies, from basic to advanced, and discuss the key factors in creating a robust password policy, including password length, complexity, and the use of custom dictionaries.
We’ll also look at common password practices to avoid, the risks associated with password reuse, and the role of education in password security. Finally, we’ll examine the most common types of password attacks, and discuss best practices for defending against them.
Evolving Password Policies
The first passwords were used at MIT in the 1960s on a computer called the Compatible Time-Sharing System. Individual users needed a way to access only their files during their allotted four hours a week. But, just two years later, the first password theft occurred. A user printed the system’s password file to gain more time for their simulations.
No matter how you look at it, a system is constantly under attack, whether from outside threats or from users attempting to gain more privileges.
Over the years, organizations have had to manage changing best practices for password policies. In the rush to outsmart attackers, some password policies have proven to be stronger than others, while some have been outright detrimental.
For a long time, NIST recommended using long and complex passwords that were frequently rotated. The reasoning was that such passwords would be challenging to crack and short-lived, thus minimizing potential damage from a leaked hash.
In reality, recent reports show 83% of cracked passwords met the complexity and length requirements, therefore not affording the expected protection.
What may have intended to be a long, complex password, such as !adfak&35.234#, often ends up being a simpler password like !password20231#.
This is because users, to avoid the difficulty of remembering and generating passwords, would create a password that meets the complexity requirements while simply using common base terms and incrementing the values when a password rotation is required.
The common roots such as “password” or “welcome” are some of the most used and easily guessed terms, as found in the Specops 2023 Password Report, meant password security was also degraded.
This made the job of password cracking easier, as it was common for users to reuse a common base terms in their passwords with symbols added to the front and end, along with numbers. Password resets got more prevalent, as it became more difficult for users to remember their password; making it more common for them to create less-secure passwords.
In some ways, past best practices for password policies may have made password cracking easier. While encryption and hashing technology has improved, so has the technology available to attackers.
An attacker can now rapidly run through millions of pre-computed password hashes known as Rainbow tables or quickly brute-force passwords with the help of powerful GPUs (Graphics Processing Units). This means that even longer passwords are now subject to being cracked.
Attackers have evolved to use dictionary attacks that target the common root of a password while attempting easier variations of pre- and post-password numbers and symbols. This means that brute-forcing a password generally does not require trying every iteration of letters, numbers, and symbols but instead relies on techniques such as dictionary attacks that are much faster.
Modern Password Policy Recommendations
Due to the increasing ability of threat actors, NIST and other organizations have recommended changes to current password policies, as noted in the 2020 updated NIST 800-63b guidelines. Considering years of learning from password breaches and user behavior, the following general recommendations have been made.
- Do away with regular password change requirements unless a user requests one or if a breached password has been found.
- Eliminate password complexity requirements; focus on overall password length (12 characters, for example).
- Mandate screening of new passwords against commonly used dictionary terms, including custom word lists and previously compromised passwords.
Implementing this security approach into an organization can be challenging, mainly if the previous password mindset has existed for many years. While these changes can make the lives of users and system administrators easier, it can be challenging to change the ingrained attitudes of many security professionals over time.
Protecting Users with Specops Password Policy
Specops Password Policy helps organizations automate comprehensive password policy customizations. Staying current with the latest NIST standards is easy with the compliance-driven templates built-in into Specops Password Policy.
Avoid common mistakes by using custom dictionaries to block organization specific terms along with other common terms and ensure that users adhere to strong password policies through features such as “disallow username in password”. Have the ability to require minimum password changes, prevent password re-use, implement length-based expiration dates, and avoid the use of more than 3 billion compromised passwords with the Breached Password Protection add-on.
Specops: Password Policy application
Keeping Organizations Safe with Modern Password Policies
Password policies need to constantly evolve to stay one step ahead of attackers. Ensure you are protecting your organiztion and users by keeping up to date with the latest password policies made much easier through tools such as Specops Password Policy.
As attackers’ tools evolve, so should your approach to cybersecurity. With the latest updates to NIST password policy recommendations, you can make the lives of your users and the system administrators easier with well-thought-out and implemented password policies!
Sponsored and written by Specops Software