Modern IT system administrators know the importance of maintaining a strong password policy. In this article, we’ll explore the evolution of password policies from basic to advanced and discuss key factors in creating a strong password policy, including password length, complexity and the use of custom dictionaries.
We’ll also look at common password practices to avoid, the risks associated with password reuse, and the role of education in password security. Finally, we’ll look at the most common types of password attacks and discuss best practices for defending against them.
Evolution of password policies
The first passwords were used at MIT in the 1960s on a computer called the Compatible Time-Sharing System. Individual users needed a way to only access their files for their allotted four hours per week. But, just two years later, the first password theft happened. A user printed the system password file to save more time for his simulations.
Regardless of your perspective, a system is constantly under attack, whether from outside threats or users trying to gain more privileges.
Over the years, organizations have had to manage evolving best practices for password policies. In the rush to outwit attackers, some password policies have proven stronger than others, while others have been downright detrimental.
For a long time, NIST recommended using long, complex passwords that were rotated frequently. The reasoning was that such passwords would be difficult to crack and short-lived, thus minimizing the potential damage caused by a hash leak.
In fact, recent reports show 83% of passwords cracked meets the complexity and length requirements, thus not offering the expected protection.
What could have been a long and complex password like !adfak&35.234# often ends up being a simpler password like !password20231#.
Indeed, users, to avoid the difficulty of remembering and generating passwords, would create a password that meets the complexity requirements while simply using common base terms and incrementing the values when a rotation password is required.
Common roots such as “password” or “welcome” are among the most used and easily guessed terms, as found in the Specops Password Report 2023meant that password security was also degraded.
This made the job of cracking passwords easier, as it was common for users to reuse common base terms in their passwords with symbols appended to the beginning and end, as well as numbers. Password resets have become more common, as it has become more difficult for users to remember their password; which makes it more common for them to create less secure passwords.
In some ways, past best practices in password policies may have made password cracking easier. As encryption and hashing technology have improved, the technology available to attackers has also improved.
An attacker can now quickly scan through millions of pre-computed password hashes known as Rainbow Tables or quickly brute-force passwords using powerful GPUs (graphics processing units). This means that even longer passwords are now susceptible to hacking.
Attackers have evolved to use dictionary attacks that target the common root of a password while trying easier variations of the numbers and symbols before and after the password. This means that brute forcing a password does not usually require trying every iteration of letters, numbers and symbols, but instead relies on techniques such as dictionary attacks which are much faster.
Modern Password Policy Recommendations
Due to the growing capability of threat actors, NIST and other organizations have recommended changes to current password policies as outlined in the 2020 Update NIST Guidelines 800-63b. Given years of learning from password breaches and user behavior, the following general recommendations have been made.
- Remove regular password change requirements unless a user requests one or a breached password is found.
- Eliminate password complexity requirements; focus on the overall length of the password (12 characters, for example).
- Mandate screening of new passwords against commonly used dictionary terms, including custom wordlists and previously compromised passwords.
Implementing this security approach in an organization can be challenging, especially if the previous password mentality has been around for many years. While these changes can make life easier for users and system administrators, it can be difficult to change the entrenched attitudes of many security professionals over time.
User protection with Specops password policy
Specops password policy helps organizations automate comprehensive password policy customizations. Staying up to date with the latest NIST standards is easy with the compliance-focused templates built into the Specops password policy.
Avoid common mistakes by using custom dictionaries to block organization-specific terms and other common terms, and ensure users adhere to strong password policies with features like “disallow username in password”. Have the ability to require minimal password changes, prevent password reuse, implement length-based expiration dates, and avoid the use of over 3 billion compromised passwords with the Breached Password Protection add-on.
Keep organizations secure with modern password policies
Password policies must constantly evolve to stay ahead of attackers. Make sure you protect your organization and your users by keeping up to date with the latest password policies, which is much easier with tools like Specops password policy.
As attackers’ tools evolve, so should your approach to cybersecurity. With the latest updates to NIST’s Password Policy Recommendations, you can make life easier for your users and system administrators with well thought out and implemented password policies!
Sponsored and written by Specops software