Strengthening password policies is a major topic of debate these days. Various sources for best practices have peaked out from every corner, each spouting something new. While having options is a great thing in many cases, paralyzing users and admins with which ‘best practice’ is really best is another issue entirely. Instead, I will take a look at the facts behind strengthening password policies and let the chips fall where they may.
Of the many best practices for a strong password policy, three things often come up most: password length, overall complexity, and additional factors during authentication. Read on to see the pros and cons of each and make the best decision for your environment.
Length vs Complexity – Strengthening Password Policies the ‘Right’ Way
I want to be up front with you: The ‘right’ way is a myth.
Seriously, the only way to know that is ‘right’ is to account for every unique intricacy of a given environment. That is something that simple best practices simply cannot do. Instead, the ‘right’ way of strengthening password policies is going to depend on the tactics that can work, and the appropriate application of those to your situation.
The biggest variables come from password length and overall password complexity. Take a look at NIST’s Special Publication 800-63 and you’ll learn one very important thing: the industry is trending towards length over complexity. Understanding why this is happening is how you will know whether or not this trend will work for you.
Why not shoot for highly complex passwords?
An Auth0 blog covers the basic rationale concisely: users are often predictable. When limited to standard complexity requirements, users will often follow simple patterns that make attacking and cracking their login much simpler. However, with additional resources in place, such as enforcing a minimum number of different characters, and requiring password changes less frequently, complexity can be enough for most environments. After all, ensuring passwords follow a high level of complexity is still a valid strategy – so long as end user experience is taken into account.
End users fall into poor security practices because enforcement is often too difficult to follow and maintain. Requiring password changes too often, for example, is more of a stressor than anything else. End-users will go to many lengths to avoid the mental anguish of updating a password too frequently. In this, it all comes down to knowing your target. By making security more convenient, end-users will be more likely to adhere to strict policies. This, in turn, allows for better practices when it comes to password creation.
Longer passwords are better? Really?
The reason people tend towards length over complexity is because it is much simpler to enforce. It is also much simpler to adopt from an end-user perspective. This does not make longer passwords better from an objective standpoint. Rather, relying on longer passwords is often more practical for the standard end user. After all, when you boil right down to it, length is just another factor of complexity. It is easier to think of a long password – or pass phrase – than it is to come up with a new method of incorporating numbers and symbols.
Policies that focus primarily on length often opt for the term ‘pass phrases’ because of the literal and representative meaning behind it. If you ask an end-user to come up with a sentence or phrase as a password (grammar included) you are enforcing complexity without badgering the user. Phrases are easy to remember, and technically speaking, they are harder to crack.
How about using 2FA when Strengthening Password Policies?
Using 2FA when strengthening password policies is the next logical jump. With 2FA, however, comes a high level of anxiety and stress on both the end-user and administrative side of things. Most people know that 2FA is the best practice for secure authentication. However, the added requirements also inconvenience the end-user, in one way or another. While this may have once been the case, two factor authentication has come a long way in recent years. Of all the various additions to security ‘best practices’ over the years, 2FA (or multifactor, in many cases) has shown the most staying power.
The results most often speak for themselves.
While not perfect, 2FA has the best chance of protecting a user account from being compromised by virtue of its existence. No matter how strong the password, dedicated attackers will often find a way to break through. With 2FA, they hit only another wall.
Many organizations will have differing opinions on which 2FA method is the best or the most secure. However, the founding principal is the same: 2FA is better than just a username and password. With that being said, that doesn’t mean it will be best for you.
My thoughts on Strengthening Password Policies
The ‘best’ way to move forward with strengthening password policies is to remember this: it always comes down to the user. User experience is what will make or break security in any environment. Your job is to know your end-users and be able to develop a strong foundation. Strengthening password policies requires that this foundation observes the obvious expectations and adds acceptable – but exceptional – security measures.
Balancing usability and security is never easy, but it doesn’t have to be complicated. Take a long look at who you are working with and move up from there. My advice for a strong password policy? Look at the ‘best practices’ and then look at your users. Don’t be afraid to push, and don’t be afraid to provide options for when something doesn’t quite mesh with what the user wants.
The best security comes from balancing both sides of the spectrum. If you want the best practices for strengthening password policies, that’s where you want to start. Still have questions? Then give us call and let's chat!