In pursuit of a modern password policy

The phrase “convenience shouldn’t trump security” sounds good. It carries the weight of authority, of someone who is taking a stand to do the right thing, and in most cases they are. Problem is, outside of a high security setting, inconveniencing users tends to make things less secure.

The classic example: An IT department implements a high complexity password requirement. Numbers, letters, uppercase, lowercase, symbols, all that jazz. Policy in place, IT tells management “We’re more secure” ignoring the fact that most users are now writing their passwords down on sticky notes and putting them under their keyboard.

Someone from security will go around and occasionally wag their finger at users telling them they are stupid for writing their password down. Users will momentarily stop writing down their passwords, password reset calls to the helpdesk will spike, and then users will go back to writing down their passwords. Rinse & repeat, over and over again.

“$p4rkY_&bT” is more difficult to crack than “Bobby” and the corporate-wide use of complex passwords guards against certain kinds of attacks, but opens up doors to other attacks – like a disgruntled coworker staying late, flipping everyone’s keyboards, and using their password to metaphorically burn the business to the ground, which is a much more likely scenario than scary internet hackers trying to brute force crack end-user passwords.

Most businesses gravitate to a standard password policy that’s based more on culture and audit compliance than real world efficacy. It tends to look like:

  • 8 character minimum
  • A mix of symbols, uppercase, lowercase, and numbers
  • 90 day expiration

In certain contexts, this is absolutely the right policy, but it is the wrong fit for most. It’s based on outdated assumptions: that the most common threats are external, that stale passwords are a common attack vector, and that a blanket policy is best. Here are some different approaches.

Passphrases, vaults, and pins

It’s no longer novel to use passphrases (strings of words, usually 16 characters or more) instead of passwords. An XKCD comic from several years back helped popularize their use and highlighted their strength versus traditional complex passwords. The technical advantage isn’t as much as it once was as cracking tools evolved, but the ease of memorization remains.

“popcorntreefortunicorn” or “thereisacowinmyfrontyard” are both easier to remember than a complex string like “4_%Ca*f2(k” and less likely to be written down or forgotten.

Using a password vault like 1Password is a better option in general, as it allows you to still use complex passwords and not have to remember them, but user adoption and support keep vaults from gaining widespread use in businesses – vaults are hard to scale. Depending on your user base, passphrases may remain the better option.

The future of authentication is being driven by mobile and largely does away with passwords. Windows 10 supports secure-pin login that functions much like an iPhone. A short pin number (or biometric signature – fingerprint, face recognition, etc.) can be encrypted and stored on the local device on a dedicated, secure chip. Plugging in the correct pin unlocks the device and from there, authentication to different apps and services can be claims-based, using a standard like SAML or FIDO. Usernames and passwords may need to be occasionally re-entered to refresh an authentication token, but day-to-day, users won’t be typing in many passwords.

The pin only works with local login, so if the pin is compromised it can’t be used remotely.

What about expiry? Everyone hates setting up a new password every three months. Expiry breaks apps tied to service accounts and drives end-user helpdesk calls. So why do we force passwords to expire several times a year? Because reasons?

There’s no good reason to expire passwords every 30, 90, or 120 days. It’s not an effective countermeasure, it just causes problems. If an attacker gets access to corporate passwords, they aren’t going to sit on them, they’re going to use them almost immediately, or sell them to someone who will. The threat of stale credentials isn’t a real thing and luckily, there are now government agencies and standards bodies stepping up to the plate to say so.


No password policy can keep passwords from being compromised, especially when applied to humans. Multi-factor authentication helps though and is no longer optional. Using a soft token app on a device secured by biometrics (think fingerprint locked iPhone) as well as a password is an easy way to boost your security posture.

Multi-factor tools aren’t as difficult to manage as they once were. Solutions like Duo and Yubikey are simple to add and companies like Microsoft and Okta are building multi-factor directly into their product suites.

Right now, the most popular methods of multi-factor auth are biometrics (fingerprints), tokens/certs (Yubikey), and SMS. Challenge questions are on the way out. They face the same issues as passwords and can be compromised using the same method. From a support perspective, if a person can’t remember a password, they are probably going to have issues remembering the answer to a challenge question.

Behavior will be the next big thing in multi-factor auth. Behavioral analytics tools like Exabeam can be used to create risk profiles for user activity and trigger actions based on risky or out of the norm behavior. Geo-fencing is the simplest form of behavior MFA – “Are you logging in from somewhere you aren’t normally, like southeast Asia?”

As these tools develop they’ll be able to look deeper into the actions performed with each app a user logs into and match them to a threat profile.

“User (based in Minnesota) logged on from the UAE, downloaded 4 gigs of data from Box, then sent e-mails with attachments to several blacklisted countries.”

“Something you do” is being added to the authentication triad of “Something you are, something you have, or something you know.”

Context and controls

End users and administrators should not fall under the same authentication policy. They are not operating in the same context and have access to different resources.

Following a policy of least-access – meaning users only exist in the systems they need and only have access to the minimum functionality necessary goes a long way toward beefing up security. Paired with separation of duties, these soft controls are often more effective than a strong authentication policy.

Effective controls allow you to give your end users an easy-to-live-with password policy that matches the scope of impact. They can also guide sane password policies for admin users, who should have an easier time dealing with password vaults (like Thycotic or 1Password for Teams – Seriously, don’t use a spreadsheet.) and more strict MFA requirements.

If you’re worried about brute force attacks, lockout policy is far more effective than password complexity. Some businesses lock out with as few as 3 incorrect passwords, which is a bit too few, in my opinion. Settling around 10 or so feels more appropriate. If a user needs 4 attempts to login to get it right, maybe they are having a bad day. If they need 11, they’re either an idiot or someone malicious.

So what’s a modern password policy look like?

How about this:

For users

  • 14 character minimum, no complexity but common passwords like Password123456 are blacklisted
  • MFA required for off-network access and for critical apps
  • No password expiry
  • 10 attempts before lockout

For admins

  • 20 character minimum (or highly complex)
  • MFA required for all access
  • Yearly password expiry
  • 5 attempts before lockout

My goal isn’t to prescribe – everyone’s needs are different – but I do think it’s important to question established wisdom. If your team never revisits the “why” of things, they’ll always be protecting against the attacks of the past instead of what’s coming.

Image Credit: marc falardeau