Apr 01 · 6 min read
Passwords are omnipresent in our personal and business environments. An average person has around 100 passwords to remember for various accounts, and it is practically impossible to memorize unique, complex passwords for each of them. This leads to employees coming up with easy-to-remember passwords and reusing them for multiple accounts. Stolen, weak, or reused passwords are the top reasons for data breaches worldwide. It is up to the system administrators to ensure employees use strong and unique passwords for all their accounts.
Regulatory bodies and industry researchers publish information security guidelines to help organizations protect their passwords from cyberattacks. Some guidelines are industry-specific, and some others are industry-agnostic. But the objective of all the guidelines is to prevent cyberattacks and security breaches. Password security-related aspects find a place in almost all the guidelines. It makes sense to refer to these guidelines and adopt the best elements into your password policy, even if the guideline is not intended for your industry.
Password policy refers to the entire lifecycle of passwords - the way they are created, the complexity requirements, secure storage, safe transmission, periodic randomization, prompt deprovisioning, continuous monitoring, and more. In this blog, we try to introduce you to some of the most popular information security guidelines published and share the top 10 policy recommendations that we think every system administrator should implement in their organization.
National Institute of Standards and Technology is a non-regulatory agency of the United States Department of Commerce. It develops technology, standards, and best practices to ensure information security. NIST published its digital identity guidelines (NIST Special Publication 800-63B) in October 2017. Section 5.1.1 (Memorized Secrets) of the document talks about passwords and how they should be managed and stored. Although it is meant for federal agencies to meet regulatory compliance requirements, every organization can benefit from implementing these guidelines.
Key NIST password guidelines
The Payment Card Industry Data Security Standard (PCI DSS Version 3.2.1) is a set of requirements to ensure sensitive data is protected, privacy is maintained, and networking systems are robust enough to withstand cyber-attacks. These guidelines are published by PCI Security Standards Council (PCI SSC). It is a global forum that brings together payments industry stakeholders to develop and drive the adoption of data security standards and resources for safe payments worldwide. PCI standards aren't specific to any one country or organization but rather function as a global set of standards that everyone can adhere to. Requirement 2 and 8 in the document talks about password requirements for logging into cardholder data environments.
Key PCI-DSS password guidelines
ISO/IEC 27002:2013 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is designed to be used as a reference for selecting security controls within the process of implementing an Information Security Management System (ISMS). Sections 9.2, 9.3, and 9.4 of the document talk about password guidelines to prevent unauthorized access to systems and applications.
Key ISO/IEC 27002 password guidelines
CIS Password Policy Guide's objective is to be a single comprehensive password policy that can serve as a standard wherever a password policy is needed. It was published by the Center for Internet Security (CIS), a non-profit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyber defense. They are responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data.
Key CIS Password guidelines
NERC Critical Infrastructure Protection (NERC-CIP) is a set of standards that specifies the minimum security requirements for bulk power systems. It was published by the North American Electric Reliability Corporation (NERC), a non-profit international regulatory authority whose responsibility is to safeguard the reliability of the North American bulk power systems. Table R5 in the CIP-007-6 - Systems Security Management document talks in detail about the password policy requirements for power system operators.
Key NERC CIP Password guidelines
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA Security Rule describes how organizations must protect electronically protected health information (ePHI). HIPAA password requirements come under the Administrative Safeguards of the HIPAA Security Rule.
HIPAA Security Rule requires that organizations must implement procedures for creating, changing, and safeguarding passwords. It also recommends training the workforce on ways to safeguard password information and establish guidelines to create and change passwords in a periodic cycle.
HIPAA doesn’t offer any specific password complexity guidelines. To comply with HIPAA, organizations are better off following NIST password guidelines.
Based on these guidelines, here is a compilation of the top 10 password policy recommendations:
Hackers use methods like brute force attacks to gain access to your accounts. In a brute force attack, hackers run a program and check all possible combinations of letters, numbers, and symbols until the correct one is found. Every additional character increases the time it takes to crack a password exponentially. Adding numbers, symbols, upper and lowercase letters to the password makes it very difficult to brute force. Thus having a long, complex password is more secure.
Try to make your passwords a minimum of 12 characters and spice them up with numbers, symbols, and mixed-case letters.
This chart, created by Hive Systems with data sourced from HowSecureIsMyPassword.net, shows how long it would take a hacker to "brute force" their way into your account, depending on the length of your password and the type characters included.
When large-scale data breaches occur, email addresses and passwords are often leaked online. If you reuse credentials across multiple accounts and one of them gets compromised, hackers can easily access your other accounts as well. When you pick a unique password for each account, even if hackers have credentials for one of your accounts, the rest of your accounts will remain secure. Also, avoid modifying and reusing the same passwords with a prefix or suffix (e.g., password1, password2).
Many people use names, birthdays, phone numbers, and other personal details in their passwords. While these are easy to remember, such data are readily available online and accessible to hackers. Use random combinations of uppercase letters, lowercase letters, numbers, and special characters to increase your passwords' complexity and reduce the risk of a potential breach.
These days, we witness massive credential spills on a day-to-day basis. Whenever such an incident is reported, if you have ever dealt with the victim organization, immediately change the password used.
Passwords exposed in various data breaches worldwide are publicly available as a data dump. Many times, users are not aware when their passwords are exposed in credential spilling attacks. If a breached password is being used, it may lead to a spate of cyberattacks. You can use products like Securden Password Vault for Enterprises that proactively periodically scan the dump and check if any of the passwords stored in the product matches with the passwords that have been exposed in known data breaches.
One of the key recommendations in NIST SP800-63B password guidelines is to compare the prospective passwords against a list containing values known to be commonly used, expected, or compromised while changing a password. As mentioned above, products like Securden Password Vault for Enterprises can help you do this with ease.
When you share a username and password with someone over email or text, even if that person may not share it with anyone else, your credentials can get exposed if their email account or device gets compromised. Use secure methods like password managers to share passwords.
Organizations should ensure that end-users do not recycle old passwords. The policy should enforce a minimum password age. Otherwise, end-users could change their password multiple times within a few minutes and reuse their previous password.
You need to keep track of your team's compliance with the password security policy. Periodic audits help you to ensure password policy compliance and also to identify and change weak passwords.
Multi-factor authentication provides you with an extra layer of security. It requires at least two authentication factors to access an account – something you know (a password), something you have (a one-time authentication code generated), and something you are (fingerprint). Always use multi-factor authentication when available. https://twofactorauth.org is a good reference point.
Maintaining an excel sheet or writing it down on a sheet of paper are dangerous ways to store your passwords. The most effective solution to maintaining overall password hygiene is to use a password manager. A password manager helps you create strong passwords based on the best practices mentioned above and securely store them.
Though implementing these recommendations won’t make you comply with the regulations mentioned above, these will serve as a good starting point in ensuring information security.
While creating a strong password policy is important, you also need the right tools to implement the policy without any gaps across your organization. With Securden Password Vault for Enterprises, you can define a policy specifying the password strength and complexity requirements, periodicity for password resets, and other conditions. Once you define the policy, Securden helps in enforcing the policy in a fully automated fashion.
You can create any number of custom policies or use the predefined policies and assign them for different account types at a granular level. For example, you can enforce one policy for Windows servers, another policy for databases, and a different one for web accounts.
After defining policies, you can track the compliance status at the organization level. Securden offers actionable reports that show violations and the remedial measures that need to be taken.
Securden also helps you periodically check if any of the passwords stored matches the passwords uncovered in known data breaches. Whenever an unsafe password is detected, administrators, auditors, respective account owners, and other specific users can be alerted through email notifications.
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Apr 01 · 6 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read
Florida Water Treatment Plant Hack: A Wake-Up Call to Strengthen Basic Security Measures, Password Hygiene
One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations...
Feb 13 · 4 min read
Remote work, pirated software, and local admin rights: A deadly cocktail
Endpoints are increasingly becoming an entry point for malware. It has been a common practice to grant local admin privileges to the end users on their ...
Dec 08 · 3 min read
Securden vs. Competitors: A Story of Point-and-Click Simplicity vs. Complex, Illusory Superiority
The story of how a large government agency eliminated admin privileges on endpoints and implemented on-demand application elevation using ...
Oct 29 · 3 min read