As an administrator, you are responsible for establishing the password policy for your organization’s users. Setting up a password policy can be difficult and confusing, and this article offers suggestions to help your organization become safer against password attacks.
Recognizing password recommendations
Good password practices can be divided into several categories:
- Withstanding common attacks:
- This includes deciding where users enter passwords (known and trusted devices with effective virus detection, validated sites) as well as for deciding what password to use (length and uniqueness).
- Preventing successful assaults:
- Containing successful hacker assaults entails limiting exposure to a specific service or averting damage entirely if a user’s password is compromised. For example, ensuring that a compromise of your social networking credentials does not expose your bank account, or not allowing a poorly protected account to accept reset links for a critical account.
- Recognizing Human Nature:
- When challenged with typical human impulses, many valid password schemes fail. Understanding human nature is crucial since studies show that practically every rule you place on your users affects the quality of their passwords. Password length requirements, special character requirements, and password change requirements all result in password normalization, making password guessing and cracking simpler for attackers.
Administrator password policies
Password diversity is the fundamental purpose of a more secure password system. You want your password policy to include a variety of unique and difficult-to-guess passwords. Here are some suggestions for making your organization as secure as possible.
Maintain a minimum character length of 8 characters.
There are no requirements for character composition. For instance, *&(percent $
Password resets for user accounts should not be required regularly.
Disallow common passwords to avoid exposing your system to the most vulnerable passwords.
Teach your employees not to use their company passwords for anything other than work.
Make multi-factor authentication mandatory by requiring registration.
Enable multi-factor authentication challenges based on risk.
Password guidance for your users
Here’s some passwords advice for your company’s users. Make sure your users are aware of these suggestions, and that the recommended passwords policies are enforced at the corporate level.
Don’t use a passwords that’s the same as or similar to the one you’ve used on other sites.
Don’t use a single word, such as passwords, or a well-known phrase like Iloveyou.
Use passwords that are difficult to guess. Even for people who know a lot about you, such as your friends and family’s names and birthdays, your favorite bands, and phrases you like to use.
Some frequent strategies and their drawbacks
Despite the fact that they are some of the most extensively used password management approaches, research has revealed that they have negative repercussions.
Expiration dates for user password
Password expiration dates cause more harm than benefit because they drive users to create predictable passwords comprised of consecutive words and numbers that are tightly related. In some cases, the future passwords may be predicted based on the prior password. Passwords expiration restrictions give minimal benefit in terms of containment since cybercriminals almost always use credentials as soon as they breach them.
Long passwords are required.
Passwords length constraints (more than around 10 characters) might lead to predictable and unpleasant user behavior. Users who are forced to use a 16-character password, for example, may pick repeating patterns such as fourfourfourfour or passwordpassword. They match the character length requirement but are not difficult to guess. Furthermore, length restrictions raise the likelihood that users would engage in additional risky habits. Such as writing down their passwords, reusing them, or keeping them unencrypted in documents. We advocate retaining a modest 8-character minimum length limit to encourage people to think about creating a unique password.
Requiring the use of multiple character sets
Passwords complexity requirements limit keyspace and force users to behave predictably, causing more damage than good. Most systems require some amount of passwords difficulty. Passwords, for example, need characters from all three of the following categories:
uppercase letters
lowercase letters
non-alphabetic characters
Most individuals follow a similar pattern, such as a capital letter in the first slot, a symbol in the last, and a number in the final two. Because cybercriminals are aware of this, they conduct dictionary attacks utilizing the most popular replacements, such as “$” for “s,” “@” for “a,” and “1” for “l.”. Forcing your users to select an upper, lower, digit, or special character has a bad impact. Some complexity requirements even hinder users from using secure and memorable passwords. It forces them to choose passwords that are less secure and less memorable.
Successful Patterns
In contrast, here are some suggestions for promoting passwords diversity.
Common passwords should be avoided.
To limit your organization’s susceptibility to brute force passwords attacks, the most significant password requirement you should impose on your users when creating passwords is to prohibit the usage of popular passwords. Passwords commonly used by users include abcdefg, password, and monkey.
Educate users not to reuse organization password elsewhere.
One of the most crucial things to send to your organization’s users is to not reuse their organization’s passwords anyplace else. The usage of company passwords on external websites considerably increases the possibility that these credentials may be compromised by cybercriminals.
Enforce registration using Multi-Factor Authentication.
Make sure your users’ contact and security information are up to dates. Such as an alternate email address, phone number, or device registered for push notifications. So they can respond to security challenges and be notified of security events. Users can prove their identity if they forget their passwords or someone else tries to take over their account if their contact and security information is up to date. It also provides an out-of-band notification channel for security events such as login attempts or passwords changes.
Set up multi-factor authentication for more information.
Allow for risk-based multi-factor authentication.
When our system identifies suspicious behavior, risk-based multi-factor authentication guarantees that the user is challenged to prove that they are the actual account owner.