I am fortunate in my new role to have a lot of freedom. There wasn’t a lot of structure in place when I started so I can mold the IT policies as I see fit. This has been a blessing, and a curse as I try and navigate the standard IT policies that I have been pushed to enforce in my previous roles. Back then people would ask me why we need to change passwords so often. “Because it keeps us secure, and the company policy says so” would be my response. I never stopped and asked myself why things like this were put in place, and ultimately, does it really keep us secure?
Lets break down the common rule sets that have been the cornerstone of just about every password policy put in place.
8 Character Minimum Passwords
This has been common practice for quite a long time but I don’t think this requirement has kept up with the times. Is 8 character passwords really enough? Having passwords that are at least 8 characters will check the box when the auditor comes around but is that what we really should be focused on? Why aren’t we trying to push people to longer (simpler, easier to remember, more secure) passphrases?
Everything from special characters, to numbers, to upper or lower case digits fall under password complexity. And with an 8 character password, I think they are necessary. If we start pushing people to phrases, and spend a little time educating people on choosing a simple secure password, why do they need to be enforced?
This along with Length I believe are the two most used “Audit Check” boxes that are out there. This setting is the amount of time a user can have their password before the system forces them to choose a new password. The standard just about everywhere is 90 days. Most users who feel their password is a burden and hard to come up with will write down their password on a sticky note, leave it under their keyboard (or worse, attached to their monitor) and it will take them 30+ days to remember it without looking (just because we always have to look to “Double Check”) and then 30 or so days later the dreaded password expiration countdown starts. Personally I think I do a good job at password management, but 90 days still annoys the hell out of me. If you are in IT and you are reading this thinking “WAAAAHHHH you need to change your password every 3 months” take the “Password never expires” check box off your account for 6 months, and I have a feeling your thought process may change.
Enough ranting about it, but why do we need to change it every 90 freaking days? How is this going to keep me secure? This only helps if your password db gets stolen, and with our 8 character limit above and our modern hardware, it doesn’t matter if you change your password every 30 days, you are screwed. According to this article (I didn’t fact check) 90% of 8 character “complex” passwords are cracked in seconds in this case.
This setting usually sets the number of times you need to create a new password, before you can use the old one again. I don’t understand why this is even an option to leave off if you are setting your passwords to expire after a specific amount of time. If I make my users change their passwords (no matter the interval) shouldn’t I require that each password is unique? If I don’t, they fall into a pattern. IE: I set my first password to Penelope!1 for Q1, Penelope !2 for Q2, and so on.
We need to stop trying to “check the audit checkbox” and start looking at the business requirements, and designing our password policy around those. In my opinion, these items should be key for building a good password policy.
- End user education is paramount. Show them how easy it is to create a longer passphrase and give them benefit to doing so.
- 8 Character limits with forced complexity is not enough, try and push people to 15+ character passphrases.
- Don’t just set password expiration to 90 days, depending on your other requirements (length, complexity, etc.) push it out to 6 months. I think you will find far less sticky notes under keyboards!
- One size does not fit all. Look at a solution like Specops Password Policy and give your end users options. They want a 8 character password, fine. It needs to be complex and you are changing it every 30 days. You have a 20 character passphrase, your password doesn’t expire for a whole year.
Lastly, don’t be lazy. If your users have a 90 day password reset requirement being in IT you should have AT LEAST the same. Get out and talk to the people who need to follow this policy and figure out what their feelings are. Find out what bad security practices they do, and figure out how to solve that issue for them. I think you will get a lot more out of it instead of just reviewing your audit checklist.