Your password policy can make or break your organization, and it’s imperative your policy address passwords from the standpoint of true security.
What makes a good password policy? When your users implement strong passwords they slow down attackers’ attempts to penetrate the network or stop the attacks all together.
Start by addressing password length. Conventional password rules recommend using an 8-character password. If you operate under that recommendation, you’re already at risk. Widely available tools for download on the internet, such as Hashcat, can break an 8-character password in less than 60 seconds. Typically, password policies that require at least 14-characters create a significant challenge for attackers as the longer passwords can take thousands of years to crack.
Next consider complexity. Each element of complexity adds to the time it takes to crack a password. But again, who can remember $877yaijfn&3yf? Requiring special characters and numbers can push users into creating passwords with known patterns, making them easy to guess.
Let’s see how this works. To help themselves remember, users pick something simple, and then add something relevant and easy to remember, such as a year and an exclamation point to the end. For example, as we enter the days of summer many users update their passwords using seasonal terminology. Attackers are wise to this concept and have been able to identify passwords such as:
The use of guessable passwords can lead to a common attack where an attacker will attempt to password guess your Outlook Web Access with known patterns.
For a brief break in the day and bit of a humor, comedian Michael McIntyre has a hilarious take on the evolution of the password during a 2020 Netflix special. We would encourage you to give it a watch and consider using this as an educational moment at an upcoming staff meeting.
*Warning there is a very moment that is NSFW* https://www.youtube.com/watch?v=z_HmDP3lKMI
A better alternative is to use complex passphrases. Pick a topic such as movie quotes and use your favorite movie lines – something more than just a word and a year. For example, a good password is: !No Luke I Am Your Father! That’s a 26-character password that is secure and easy to remember. Users can use everything from comic book heroes, motorcycle facts, to pop culture quotes. The subject of the passphrase does not really matter; using a theme you know makes long password combinations easier to remember and easier to type. Not to mention, if using a topic you know — your favorite movies — you will have an easier time updating passwords because you have a ready supply of alternatives. You can also suggest users use a random passphrase generator if they are struggling to find a system, such as Secure Passphrase Generator.
Ultimately length is more important than complexity. Hive Systems calculates that a 16-character password that just uses lower-case letters in 2022 would take about 3 thousand years to crack.
You can further protect your systems by requiring users to use 2-factor or multi-factor authentication whenever a system supports it. Requiring users to use a secondary method to authenticate that is something they have in their possession (such as a phone) helps protect you even when a password is guessable.
A good idea when creating your password policy is to follow NIST (National Institute of Standards and Technology) recommendations. For example, in the past, common advice was to require users to change their passwords regularly, but NIST now advises that users should not have to regularly change their password but should change them if there is any reason to believe a system has been compromised.
For you and your network administrators, managing the ever-increasing list of passwords is a daunting task. Storing a list of credentials on a notebook in a locked desk drawer or in an unprotected Excel workbook is not secure enough. We recommend the use of a secure password vault to store your sensitive credentials and associated challenge question answers.
If your organization already has a password vault that you could use, start using it immediately. The spreadsheet called Passwords.xlsx is an easy target for an attacker, and password protection on a spreadsheet is not an obstacle to an experienced attacker.
A good option to consider for a password vault is an application called KeePass. It encrypts your passwords in a single file. That file can be backed up to a network share for recovery in the event of a hard drive failure. There are many other products in the password vault space, KeePass is just one that our office implements because of its ease of use and price point (hint: it’s free).
The use of a password vault can help you from reusing a previous password. Most password vaults can suggest new or altered passwords based on user requirements for the passwords. The practice of “one password for everything” is common, risky, and a habit we can help each other to change.
You need to ensure that your employees are managing their credentials in a secure manner and adopting the use of password vaults like KeePass. If you need help training employees to use a password vault, we can help you. One successful idea we used with a client was to compensate their cleaning service for every post-it note they found with a password on it – The cleaning service earned $5 for every password and found 240 passwords, earning a whopping $1,200.
Attention: Network Admins
For years best practice meant you had two accounts: one for everyday use, and one for domain admin use. Those days are officially gone. With attack tools, like Mimikatz, an attacker could steal administrative credentials from a compromised machine’s memory that were last used within eight hours prior.
To limit the attack landscape, we recommend is shifting towards a tiered administrative account structure that creates secure perimeters around groups of workstations and servers.
The first phase is creating an administrative account explicitly for workstations that has no rights to log onto servers. From there you group servers by functional role (domain controllers, mail servers, file servers, SQL servers, etc.); feel free to be as detailed as necessary when creating these groups. As you create these functional groups, create a separate set of administrative passwords for each of these groups. Finally, restrict your domain administrator to only be able to log on to your domain controllers. Going forward, each administrator will have a regular set of passwords and then a series of administrative passwords that are only to be used for their specifically targeted machines. All passwords following your password policy, of course.
Once fully implemented, you will have effectively removed an attacker’s ability to escalate to admin-level privileges.
Passwords are the key to keep both your users and the network safe from unauthorized access. Following these simple, easy-to-use recommendations, you can offset your risk of compromise with minimal effort from the users and the network administrators.