7 Key Components of a Strong Password Policy

Traditional passwords are the most ubiquitous form of authentication. Even in the modern era, where biometrics and one-time passwords (OTPs) are available, this remains a fact. However, while popular, they are also the easiest to compromise. Millions of passwords are stolen daily, and it puts users and businesses at risk of cybersecurity incidents and breaches.

Thankfully, there are ways to mitigate risk and protect your assets and users. The best and easiest one is to implement a strong password policy for every member of your organization to adhere to. The ideal password policy should cover every vulnerability posed by traditional passwords. And we will tell you exactly how to do that.

Intelligent Technical Solutions (ITS) is a managed IT service provider (MSP) with a proactive cybersecurity mindset. What this means is we prioritize prevention rather than cure. We’ve helped many businesses stay protected and secure by teaching them proper password management, and we will do the same for you.

In this article, we’ll go over the following points: 

• Why passwords are still used in the modern era 
• 4 common password attacks 
• 7 components of a strong password policy 

 These should lead you toward better password security for your business. 

Why Passwords Continue to Persist in the Modern Era

The cybersecurity industry has always been big on eliminating passwords as a form of authentication. Big tech enterprises like Google, Apple, and Microsoft have collaborated to work toward a passwordless future. 

Experts are advocating for this shift because, to this day, passwords still pose the most considerable risk to cybersecurity. They’re easy to steal, hack, and guess, users rarely practice good password management, and businesses often fail to implement strong password policies. These factors can easily lead to breaches, especially considering that it only takes one weak password for a malicious actor to infiltrate a network.

However, despite its many drawbacks, passwords are here to stay, possibly for much longer than experts want. This is mainly because they are cheap and easy to implement, use, change, and remember. Moreover, passwords are fairly ubiquitous. Most sites and services require you to create one, and it won't be easy to shift away from this practice.

Additionally, the suggested alternatives are expensive and challenging to use. One such example and the most preferred replacement is MFA or multi-factor authentication. Less than 2% of the world's sites and services support this authentication form. Studies have also shown that users need more assistance using MFA.

We're still far from a passwordless future (and it may never come). As such, businesses need to understand the vulnerabilities of traditional password use. They must also learn to implement an adequate password policy to keep their assets and reputation safe. 

4 Common Ways Passwords Are Compromised

Passwords are easily compromised due to availability and simplicity. Here are the most common ways malicious actors get a hold of this information:

1. Theft

Theft is number one on the list of ways passwords get compromised, not only because it is easy but also because several methods are available. Millions of passwords are compromised each day through this type of password attack.

Passwords can be stolen in person as attackers record someone’s password as they punch it in or personally ask users for it. You’d think the latter wouldn’t work, but studies show that 40% of users are willing to give passwords away in exchange for small gifts.

In-person attacks, though effective, are small-scale. So, attackers use social engineering or malware installation tactics for large-scale operations. These methods are often used against businesses, with phishing among the top cybersecurity threats.

Other methods of password theft include:

• Lurking in unprotected Wi-Fi networks. 
• Stealing credential databases. 
• Getting them from publicly accessible sites or service codes.

2. Guessing

Password guessing is another type of attack that leads to great success. The high success rate is mainly because users typically create passwords around their interests, stick to default passwords, or use common passwords. These poor password-creation practices have led to millions of compromised accounts.

Attackers can also “guess” passwords through brute-force attacks like credential stuffing or credential cracking. Automation is used in these attacks as they try to match the right username and password to access an account.

3. Unauthorized resets and bypass

Unauthorized password resets are done by bypassing recovery methods set by websites and services. Links and codes sent to alternative emails can be intercepted or redirected to an attacker's account. Even password reset questions need to be more secure. Attackers can guess the answer on the first try 20% of the time, and 16% of answers can be found on a user's social media account. Bypassing these methods allows them to manage the reset attempt and take complete control of the account.

4. Hash theft and cracking

To understand hack theft and cracking, we first need to define “hash.” To hash means to convert passwords into random and unreadable strings of characters, which are then called hashes. Once converted, these passwords cannot be easily reverted to their original form.

Companies store hashes instead of raw passwords as a form of security since they cannot be read once stolen. However, attackers have found hash-cracking methods that have high reversion success.

Although not the most popular password attack, password hash theft and cracking still happen enough to cause concern from cybersecurity experts. 

7 Key Components to Include in Your Password Policy 

Password attacks are a huge threat that could put you at great risk, but it’s easy to protect your business against them. What you and every business should learn to do is draft a strong password policy that can cover every weakness that a password has. To do this, you need only to include these # key components: 

1. Enforce MFA

We've mentioned how MFAs are expensive, difficult to implement, and not widely supported, but that wasn't meant to discourage you from enforcing them in your business. In fact, despite the disadvantages, it is highly recommended to enable MFA, preferably phishing-resistant MFA, for all users of your network. Doing so mitigates the risk and damage of password attacks and cyber threats in general.

There are many types of MFA to choose from biometrics, physical keys, authenticator apps, and more. If you need help deciding, consider your resources and user experience. Your chosen method should be practical for your business and convenient for your users without sacrificing security.

2. Set minimum and maximum password length 

Setting a character limit for passwords helps defend against password guessing and hashing. Set the minimum length at 8 and the maximum at 64. But also keep in mind that a 20-character password is already considered strong. This is because studies have shown that hackers are capable of hacking 18-character-long passwords that are generated by humans.

3. Measure password strength/complexity 

You and your users should learn how to make the best passwords. Strong and complex passwords include special characters, are randomized and lengthy, and do not contain personal information. Experts say that a 12-character password that is fully random, meaning it does not spell or resemble anything, is best at mitigating password guessing and cracking.

4. Monitor password age and history

Ideally, passwords should be changed once a year, or twice or more times a year in high-security environments. They should also be unique and unrelated or similar to old, possibly compromised passwords. Monitor everyone's password age and history and ensure they are changed accordingly.

5. Limit failed login attempts

Different regulations dictate different limits for failed login attempts. The NIST framework is lenient, with the limit at less than 100. PCI-DSS, which helps protect cardholder data, requires businesses to lock out the user ID after six failed attempts. The lockout period also varies between 1 minute to until an administrator enables the user.

You can set your limits and lockout periods, but make sure you adhere to regulations within your industry. And again, consider the capabilities and convenience of your users.

6. Utilize password managers

According to studies, the average user has 3 to 19 different passwords across 150 websites and services. It's close to impossible, so users resort to storing their login credentials in apps or physical notepads. While those are valid methods, they're not as safe. The best and most secure way to store credentials is to utilize password managers.

Password managers are software applications that store and manage usernames, passwords, and other sensitive information. Data is encrypted with the latest technology; some use zero-trust architecture to ensure absolute protection.

Using password managers means users won't have to remember so many login details. Instead, they need only to memorize credentials for the password manager itself.

7. Educate users on proper password management

Every business should conduct regular cybersecurity awareness training for its members, including teaching them proper password creation and management. Educate your users on how to create strong passwords, store them properly, and avoid password attacks. Remember that human error is the biggest cause of breaches, so avoid that by empowering your members through constant training. 

Start Fortifying Your Password Policy

The persistence of passwords in the modern business era is largely due to their simplicity, convenience, and ease of use. Despite the risks that they come with and experts’ desire to transform authentication methods, passwords will remain in use for the foreseeable future.

As such, the responsibility of ensuring asset and user security falls upon businesses, and this can be achieved by implementing a strong password policy that includes the following components:

• Multi-factor authentication 
• Minimum and maximum password length 
• Password complexity 
• Password age and history monitoring 
• Limited failed login attempts 
• Use of password managers 
• Conducting awareness training 

 If you need help fortifying your business’ password policy, Intelligent Technical Solutions (ITS) is always ready to help. You can meet with one of our experts to learn more about how you can leverage our services. You can also get a free cybersecurity assessment to gain a better understanding of your vulnerabilities.

You can also learn more about password attacks and management by checking out these pieces of content from our learning center:

• [Article] Ways to Protect Your Business Amidst Alarming Rise in Password Attacks 
• [Article] NIST Password Guidelines: 9 Rules to Follow