Guide to best password policy
FastPass views on Password Policy
First, let us define what the term password policy covers.
At FastPass, password policy covers the combination of factors that includes password history, syntax, account lockout and user educating. We are trying to bring a holistic approach where educating users about how to treat their passwords and the syntax change and service desk processes go hand in hand. Leaving any of these out will expose a risk.
Below we have summed up the most important disciplines in this field.
It is essential to educate users that passwords are personal and must be kept secured. The password is not to be given to anyone, including the Service Desk, Managers, or other parties under any circumstances. Educating users to spot phishing emails, phishing messenger or phone attacks are vital in combination with the company policy on communication channels as a whole.
Corporate and private passwords should never be the same or be reused in any manner. Also, have a policy in place informing users in general terms where they should avoid using their passwords. Eg. Never enter your Windows account password into a webpage that does not have “COMPANY.COM” in the domain.
Notifying users when their password is changed is also a good practice. In these notifications, it is also possible to remind users about the general rules.
While PCI DSS recommends 90 days expiry other security people recommend 60 days, and NIST even suggests removing forced Password Expiry altogether.
FastPass recommends 6 months as the expiry. We think Password expiry will guard against:
- The fact that users use the same passwords for different systems - hence if you find an old password in a system you are likely to find a password that can be used elsewhere. Expiry helps avoid the threat of exposing your password history altogether.
- Some claim that users just add a number at the end of the password, but together with Password History requirements, the user will have to find another password if the history is long enough.
- Leaked passwords and the discovery of weak passwords should be part of password checking, preventing the user from creating a weak password. As weak passwords change over time, a password change from the user is needed to make sure the user’s current password is strong.
While some recommend at least a 12-character password length, FastPass recommends 10 characters as the minimum length. Again, the length itself is of no use if other parameters are not in place. 10 characters and a requirement of the use of at least 3 character types will ensure that the password is not easily hackable if a hash is obtained. Using Active Directory 3 out of 5 types is ok. Requiring 4 types is however even better. When using 4 types we recommend to demand :
- Alphabetic lowercase letters
- Alphabetic uppercase letters
- Numeric characters (0–9)
- Special characters eg. ¤!”
Brute forcing is not a problem when account locking is in place.
Password History ensures there is no password reuse. This is considered of utmost importance. A user should not be able to reuse a password for several years. FastPass recommends a 3-year window. With users changing passwords 2 times every year, and a user forgetting 1 password every year the value suggested is 15. So, with 15 passwords remembered we should ensure that a normal user does not use the same password within a 3 year period. Using a tool that ensures at least 2 characters indifference from the last password will enhance security avoiding end-users that simply change a number in the password.
Avoid the most general passwords by implementing simple rules to get rid of the typical Password1, Abcde12345 etc. passwords. Combine this with a customized dictionary of company, product and branch words.
We think account lockout is very important to protect user accounts. It should be enabled and set to keep users out for at least 30 min. The number of attempts before being locked should be looked at together with the password requirements. If only a single character change in a password is required, then we recommend only 3 attempts before being locked. If 2 or more characters are required, the value could be raised to 6.
Self-Service Password Reset
Avoiding the manual password reset through the Service Desk is far more secure when you remove this task from service desk personnel. Having a system with a high enrollment rate is the key to making self-service successful.
Contacting the Service Desk to obtain a new password is another place where security needs to be implemented. With social engineering on the rise, we see this as a key area for improvement. The key points are:
- When issuing a password for an end-user the identity verification process must be a system process that cannot be bypassed, and the process must audit properly.
- The Service Desk operator should not have password reset privileges in AD, any password should be sent directly by a system.
At FastPass we think following the processes above makes password policy work and keeps your passwords secure. When reviewing our recommendations, remember that all the above points must be implemented together to have a policy be successful. Passwords are great for authentication they are cheap, easy to handle and safe when treated right. Please note that the same password policy need not apply to all users. An end-user having only access to email may not ned to live up to the same as the worker in finance.