3 Password Policy Best Practice Solutions You Need Right Now

14 Characters Are No Longer Enough

Microsoft has been building productivity platforms that have powered the world for decades. With more than 180 million users, Office 365 continues to grow — particularly as support for on-premises servers and other technology and a greater emphasis on Cloud-based services. While impressive, this growth has naturally made their platforms the natural target for cybercriminals. And because so many organizations rely on Office 365 and other Microsoft services as part of their technological infrastructure, this naturally makes those organizations at risk of breaches and other cybersecurity issues.

Currently, Windows’ minimum password character length is around 14 characters, though companies can set it lower. (This is not recommended — even the minimum of 8 characters that Microsoft suggests to strike a balance between security and memorability isn’t strong enough an argument in our opinion.) Even if your organization observes this 14-character minimum, it’s important to understand that this is no longer enough. To many, 14 characters might appear to be more than enough — potentially even bordering on too much.

However, simply search “breach,” and you’ll quickly realize that passwords are frequently on both ends of whichever scenario you find: often they’re the source of the attack, and almost always they’re part of the plunder. More than ever, this means that passwords must be given even greater attention — going beyond simply making them more complex. We must take more advanced and even unpredictable actions to ensure passwords remain safe.

Let’s take a look at a few password policy best practices to help strengthen your organization’s identity-based security.

1. Use Passphrases — Not Passwords

Another password policy best practice is the use of passphrases rather than passwords. They might sound the same, but passwords and passphrases are actually different. Passwords consist of letters, numbers, and symbols combined. They can be fairly easy to remember, like Ex4mp13Pa55w0rD — or not, like ijb9v(*H*08iwn4e9sd. The issue here is that most passwords are easily cracked, are already present in databases containing previously cracked or stolen passwords, or can become so complex that there’s no hope of remembering them. (Side note: If it has to be a password, use a vault, too. More on this shortly.)

Passphrases, on the other hand, can include spaces. This means users don’t have to choose the lesser of two evils: 1) a weak, memorable password or 2) an insanely complex string of characters, numbers, and symbols. Instead, the use of longer, multi-word phrases (which can include numbers and symbols) opens the door for even stronger security. An example of a passphrase might be Nothing will work in 2019 unless you do!. Upper- and lower-case letters, numbers, symbols, and spaces are all used — making the phrase incredibly secure, difficult to crack, and longer than the 14-character minimum.

2. Vault Your Passwords

While passphrases can be easier to remember since they’re often sayings or phrases users are familiar with, remember that one of the most important password policy best practices is that no two passwords (or passphrases) should be the same. This means, despite their ease, it’s still going to be difficult for users to remember multiple passphrases. Minor changes between them (such as 2020 instead of 2019 in the example above) won’t cut it. A password vault system will be incredibly helpful for your users, to say nothing of its obvious security benefits.

But we need to go a step further here, too, because simply vaulting the passwords doesn’t mean they’re safe. The vault itself must be kept safe, too. We recently covered password policy best practices when it comes to your organization’s administrators, particularly the practice of rotating passwords between admins. Because the administrators’ passwords will already be secured, they don’t necessarily need to know that their password is changing every few weeks, days, or even hours. However, password rotation ensures that administrators are still able to use your enterprise tools and platforms while having their credentials updated securely.

3. Check for Bad Passwords (Frequently)

If you’re not rotating administrator accounts (and even if you are), consider doing a password crack on your next penetration test. The goal here is to check for password re-use. To do this, you’ll need to match the hash used. Hashes are unreadable character strings that are intended to be one-way, meaning a password is converted into these characters but cannot be converted back. Some hashes are easier to crack than others, but by matching them, you’ll be able to tell if employees are re-using their passwords.

If your penetration test shows this to be the case, a password policy best practice is to blacklist those passwords immediately. Users need to be creating and using new passwords on every reset. Password re-use, while helpful for the user, does nothing for your organization’s security. Note that it’s important to do this with respect for your users and to not breach confidentiality. Don’t match the passwords to user accounts (but do feel free to chuckle at the unique passwords you uncover!).

Take Your Password Policy to the Next Level

At Inversion6, our security experts don’t just make recommendations and walk away. Our chief information security officers (CISOs) partner with you from start to finish, developing password policy best practices alongside organizational leaders, educating your entire workforce on their importance, and collaborating with your IT and security teams to ensure those practices are used and enforced at all times. Fill out the form below to learn more about us and how we can help you.