There was a game show in the 60’s called Password where celebrity guests and contestants tried to guess an answer based on a one-word clue given by an announcer who said “the password is”, followed by the word. If you’re following some traditional password steps, the password is…wrong.
I read an article about password best practices which referenced an article from Microsoft on Password policy recommendations for Microsoft 365 passwords. Since October is Cybersecurity Awareness Month, it seems like a timely topic!
The best illustration of password best practices is provided in the section “Password guidelines for administrators”, which has these seven guidelines:
- Maintain an eight-character minimum length requirement
- Don’t require character composition requirements. For example, *&(^%$
- Don’t require mandatory periodic password resets for user accounts
- Ban common passwords, to keep the most vulnerable passwords out of your system
- Educate your users to not reuse their organization passwords for non-work related purposes
- Enforce registration for multi-factor authentication
- Enable risk-based multi-factor authentication challenges
Guidelines 2 and 3 might surprise you. After all, don’t the most secure systems require a password that includes a special character? And don’t they require periodic password resets?
Those practices actually have negative impacts, according to Microsoft.
Regarding the use of special characters, Microsoft says this:
“Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals know this, so they run their dictionary attacks using the most common substitutions, “$” for “s”, “@” for “a,” “1” for “l”. Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.”
Regarding password resets, Microsoft says this:
“Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.”
Makes sense. The password is…wrong – if you use those practices.
In the article, Microsoft also discusses some successful patterns associated with encouraging password diversity, including the recommendation to “ban common passwords”, which would have helped this company avoid their recent data hack.
A few years ago, NIST updated their password guidelines to focus on password length instead of the use of special characters and changing passwords periodically, recommending at least 8 characters and recommending permission of up to 64 character(!) passwords.
That may seem daunting, but cartoonist Randall Munroe calculated it would take 550 years to crack the password correct horse battery staple (all written as one word) while the password Tr0ub4dor&3 could be cracked in three days, according to Mr. Munroe’s calculations. As Monroe noted: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
So true. Now if we can just train all those systems and organizations to adjust their 20-year-old thinking.
So, what do you think? Do you find that the password is…wrong in your systems? Please share any comments you might have or if you’d like to know more about a particular topic.
Image Copyright © Mark Goodson-Bill Todman Productions
Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
Excellent summary and link, very informative as your posts always are…thanks, Doug.
Aaron Taylor