Brief Note about Password Policies in State and Local Government
Employees and citizens expect their data and identity to be protected through secure, reliable, and advanced technology when it comes to their interactions with their state and local government. As the novel coronavirus shuts down more offices and pushes more employees to work from home, state and local government need to prioritize implementing new password policies that secure the digital workforce.
While working with many state and local government entities, we've noticed many common iterations of what tends to happen with password management.
- Users tend to make simple passwords (e.g. password123) since it is easy to remember, but these tend to be high risk as 80% of all data breaches involve stolen passwords.
- Users create stronger passwords with special characters and numbers but tend to forget them, requiring IT Help Desk Support and slowing down workflows.
- A user could be coming back from vacation and forget their password.
Generally speaking, many of the state and local government bodies we have worked with fall under the 2nd category. While we know passwords are an important security factor, many state and local government bodies need to look at these best practices to improve their password policies.
Password Policy: Best Practices
We can start with one of the more popular options for building your password policy: Minimum Length. In any environment, implementing a password length policy is key to enforce strong passwords. Time and time again, length is the most important factor and simplest factor for improving password strength, and with more users having passphrases, increasing the minimum length is a good best practice for password policy.
While minimum length can range from 8 to 14 characters, we would limit the minimum length of your passwords to 10 to 12. This keeps things both simple and effective and pushes your users in the right direction without giving them password frustration.
As aforementioned, having passphrases or password phrases makes it easier for your user to remember passwords while having special characters, numbers, and fulfilling the minimum length requirement.
For example, the password: Brooklyncooks240pizzasaweek! is a good example that contains 28 characters that is easy to remember, but not easy to guess.
Removing Periodic Password Changes
Unfortunately, people are predictable. When faced with an obstacle, we will always try to find the simplest way around it, and users have the same mentality for routine password changes. As recommended by the National Institute of Standards and Technology (NIST), periodic password change requirements should be removed from ‘Best Practices’ due to the ill effect such requirements have on end-user behavior.
For the state and local government, routine password changes happen often, whether it be twice a year or once a quarter. When users have to change their password, they tend to lapse into formulaic approaches that weaken their password security, making it easier for hackers to predict and compromise data.
For most users, one year could be password123 and the next year would be password456, a simple iteration that many users are happy to employ. 'It's a job well done.', but if an attacker has compromised an old password, the first thing they would do is check if the new password matches any features like special characters or numbers.
At that point, having periodic password change requirements worsens the password security because not only can hackers easily predict the new password, but also your users will have a worse digital experience when changing their password.
Instead, we recommend minimum age as a password policy implementation. While it does require end-users to wait a certain amount of time before changing/resetting the password, it prevents them from blowing out password history, meaning they are unable to reset the password 20 to 30 times in quick succession.
Speaking of which, a solid Password History policy prevents users from decreasing authentication security, so users cannot reuse old passwords once they have been changed. Combining password history with minimum age further reduces the risk of account compromise, thus a stronger password policy.
Password History is a simple practice. Essentially, password history encompasses a list of remembered passwords that users cannot reuse, and also, it helps users ensure unique passwords without accidentally reusing a weak and potentially compromised password after a reset.
From a security perspective, this best practice reduces the risk of compromised passwords being utilized long after a data breach.
In terms of how many passwords the policy should remember is going to vary from one industry to another, but for the State and Local Government, we recommend a high number as a safe bet. Generally, most administrators set their Password History into the 20s, so this combined with the fact that password expiration is not happening as regularly, users should only be changing their password when it has been forgotten. Then, this forgotten password would not be allowed to be reused.
Flexible but Required Complexity Options
Password complexity options are the source of frustration for both users and administrators. Of course, while complexity options are never clear, simply put: complexity works.
Here's the thing though, complexity only works when it is implemented well. Users are easy to frustrate and hard to control, but it doesn't have to be that way. Flexibility is the key to consider when implementing password complexity options for your password policy. Users are more likely to fall in line when they can choose which rules to follow and which ones to ignore. Good thing too that Active Directory itself has been implementing flexibility for years now, because it works. By requiring users to adhere to 3 out of 4 complexity requirements, you give enough room to prevent rebellion. If password complexity requirements are implemented with the use of passphrases, users might not know that the complexity requirement exists, they meet it automatically.
Build a Better Password Policy for Your End-Users
Regardless of what password policies you implement, your users are the key factor to securing state and local government data. These best password policy practices are a guideline, not a group of rules to implement, and knowing what your users want is going to help you finalize the password policy as needed. Finding the balance between security and convenience is not easy, but it does not have to be difficult either.
If you keep the above guidelines when building your Password Policy, your users will be utilizing stronger passwords, but these days, passwords alone are not enough. Even with longer and more complex passwords, hackers find a way, especially as more hackers acquire more complex techniques that can break through the strongest of password security requirements.
If you implement a strong password with a well-integrated and flexible Identity Access Management (IAM) solution, you will be proving ease of access to your users while enhancing your cybersecurity infrastructure. PortalGuard is the IAM solution that puts you back in control, providing flexible Single Sign-On and authentication options that meet your security goals and deliver an optimized user experience.
Learn more about password security and how to make your password stronger with other authentication methods here.