Why are Microsoft, the NIST and the Department of Homeland Security Recommending New Password Policies for 2019?
Complex passwords policies have proven to do more harm than good, resulting in users creating easy to remember passwords that are even easier to hack! The Verizon 2019 Data Breach Investigations Report confirms that hackers are taking full advantage, revealing that hacking is the #1 cause of data breach in 2019. The report identifies phishing and the use of stolen credentials (passwords) as the top 2 hacking techniques used is successful data breaches.
Microsoft, The National Institute of Security Technology (NIST) and the US Department of Homeland Security have drastically changed their recommendations for strong password policies. Let's look at their new recommendations, and how to implement these changes in your organization.
As if creating weak passwords is not bad enough, the Ponemon Institute's 2019 State of Password and Authentication Security Behaviors report reveals more alarming statistics regarding employee password security:
- 51% of respondents reuse passwords across 5 business and personal accounts
- 69% of respondents admit they share passwords with colleagues
- 57% of respondents that have experienced a phishing attack have not changed their password behaviors!
In April, the National Cyber Security Centre in the UK released s list of 100,000 of the world's most hacked passwords. The NCSC recommends using 3 random words as a password, but unfortunately 23.2 million people chose 123456 instead, 7.7 million people went with 123456789, 3.8 million still think qwerty is a good idea, 3.6 million people are still using password, followed closely behind by password1.
Are you still wondering why Microsoft, the NIST and the Department of Homeland Security are recommending new password policies for 2019? Employees remain the weakest link in enterprise security strategies. Let's look at the changes these industry leaders are suggesting to help improve IT Security:
Microsoft has created their recommendation for both Administrator Password Policies and End User Password Policies using intelligence gained from years of tracking threats including trojans, worms, botnets, phishing attacks etc.. They also stress the importance of employee training to ensure that all users are educated on any password policy changes, and know how to spot the latest security threats. Microsoft recommends the following policies to provide password based identity and access management security as part of your organization's cybersecurity plan.
Password Guidelines for Administrators
- Maintain an 8-character minimum length requirement (longer isn't necessarily better)
- Don't require character composition requirements. For example, *&(^%$
- Don't require periodic password resets for user accounts
- Ban common passwords, to keep the most vulnerable passwords out of your system
- Educate your users to not re-use their organization passwords for non-work related purposes
- Enforce registration for multi-factor authentication
- Enable risk-based multi-factor authentication challenges
Password Guidance for Users
- Don't use a password that is the same or similar to one you use on any other websites
- Don't use a single word, for example, password, or a commonly-used phrase like Iloveyou
- Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use.
- Participate in annual employee security training
The NIST is responsible for developing information security standards and guidelines that all federal agencies must follow, and most other industries use to define their standards as well. The NIST Special Publication (SP) 800-63-3, Digital Identity Guidelines introduces a new protocol designed to improve password security. It encourages easy to remember but hard to guess passwords, which are referred to as memorized secrets. Many were shocked to learn that this new standard eliminates many of the complexity requirements of the past.
This new Digital Identity guideline drastically changes the recommendations for password best practices, suggesting memorized secrets should be random, and therefore impractical for an attacker to guess. Since a memorized secret (something you know) can be stolen, it also requires multi-factor authentication as a second layer of security. Multi-Factor Authentication requires an authenticator app to be downloaded to your smartphone, (something you have) to verify you are who you say you are instead of accepting the password alone.
The new guidelines demonstrate an understanding of the human element, and introduces a policy that is more realistic for users to follow. Below is a summary of the top recommendations detailed in the 74 page document:
- Require Multi-factor Authentication
- Password Length should to be a minimum of 8 characters, but less than 64 characters in length
- All special characters (including space) should be allowed, but not required
- Eliminate knowledge-based authentication (e.g. what is your mother's maiden name?)
- Avoid Personal Information including name, important dates, pets, etc.
- Compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses
- Dictionary words
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
- Context-specific words, such as the name of the service, the username, and derivatives thereof
- Eliminate Mandatory Password Changes unless there is evidence of compromise of the password
- Use approved encryption and an authenticated protected channel when requesting memorized secrets
- Limit the number of failed login attempts
- Enable copy and paste functionality in password fields to promote the use of Password Managers
- Require end user training
The Department of Homeland Security has published a Creating a strong password Tips card to help users protect themselves online. This is one of many resources the Department of Homeland Security has made available as part of their Stop | Think| Connect Campaign. There are steps you can take to minimize your chances of an incident. Simple Tips Include:
- Make your password eight characters or longer
- Use a passphrase, then add in some punctuation and capitalization
- Don’t make passwords easy to guess
- Do not include personal information such as your name or pets’ names easily to find on social media
- Avoid using common words in your password
- substitute letters with numbers and punctuation marks or symbols
- Get creative. Use phonetic replacements, such as “PH” instead of “F”. Or make deliberate, but obvious misspellings
- Never share your password
- Watch for attackers trying to trick you into revealing your passwords through email or calls
- Unique account, unique password. Use different passwords for different accounts
- Use stronger authentication when available, especially for accounts with sensitive information including your email or bank accounts
Visit www.lockdownyourlogin.com for more information cybersecurity information from the Department of Homeland Security.
What is an example of a good password?
All of the experts recommend avoiding words in the dictionary, personal information such as your names, names of family members, pets, and important dates. Social media provides hackers with a wealth of information about you, all of which will be used to try to crack your passwords. So, what are good password ideas? If common words are bad, then RANDOM is the key to creating a strong password!
Create a Random Passphrase for the most robust security
The best strategy to create a strong password is to create a Random Passphrase that you do not shared with anyone. For example, think of a random sentence, such as "I love running on the beach in the summer" and creating your password using the first letter of each word: ilrotbits.
To make it even stronger, simply make one letter capital, or add a number or special character. Pick one, or two, but you don't have to use all options: ilrotbits@7
You get the idea, the options are endless! However, no matter how strong the password is, if a website is compromised, your password will be exposed. Therefore, you need to also implement multi-factor authentication so hackers can't gain access to your data even if they get their hands on your password. Multi-layered security is how you need to think, make it very difficult and time consuming for hackers to crack your password and they'll move on to an easier target.
Seriously consider using a Password Manager so you only have to remember one really strong password. Then, use the password generator provided by your password manager to create a unique password for all of your other sites.
Administrators should review the list provided by these three highly credible sources and enforce the recommended policies companywide. By addressing password policies at both the Administrator and End-User levels, the security of your organization will be drastically improved.
For more cybersecurity recommendations to improve your organizations cybersecurity policies, download the Ultimate Security Checklist.
Microsoft, Office 365 Password policy recommendations: https://docs.microsoft.com/en-us/office365/admin/misc/password-policy-recommendations?view=o365-worldwide
NIST, Authenticator and Verifier Requirements, 51. Requirements by Authenticator Type: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
Department of Homeland Security, Creating a Password Tip Card: https://www.dhs.gov/sites/default/files/publications/Best%20Practices%20for%20Creating%20a%20Password.pdf
The Ponemon Institute 2019 State of Password and Authentication Security Behaviors report: https://www.ponemon.org/news-2/87