Password best practices have changed over the last decade, yet many companies and users alike have been stuck using outdated guidelines.
Here are the latest password best practices for organizations today:
- Use standalone or integrated password testing tools to check password quality, instead of relying on complex alphanumeric and symbol characters.
- Allow password length to be at least 64 characters long, rather than limiting length to 8-10 characters.
- Stop forcing regular password changes, as most users only alter existing passwords incrementally, which makes for a weak password.
- Forget using hint questions for password recovery since social media and a lack of data privacy help hackers easily find the answers.
- Encourage the use of password managers, and allow copy & paste in the data entry fields.
- Turn on multi-factor authentication (MFA) to add another layer of protection by confirming logins (55% of respondents don’t even use two-factor authentication at work).
Additionally, individual users should be using the following password best practices:
- Never give away login credentials, not even to someone in the IT department (69% of respondents share their passwords with their colleagues).
- Stop using the same password for various accounts (51% reuse passwords across both their business and their personal accounts).
- Create passwords that are at least 16-characters long.
- Use a phrase rather than a single word, and add symbols throughout.
- Don’t use any personal information, such as a birthday, pet name, maiden name, etc.
- Store all passwords in a password manager.
Outdated Password Best Practices
Some outdated password “best” practices are well known, but are they still the best? Over the past few decades, most companies have implemented what they consider to be fundamental password criteria.
These generally include:
Ensuring complex passwords are composed of alphabetic (uppercase and lowercase) and numeric characters in addition to special symbols and similar characters
Forcing users to change passwords regularly
Requiring new passwords not previously used by the user
These guidelines are so widely accepted that we see them specified in the Payment Card Industry Data Security Standard (PCI DSS). But, as with all mature technology policies, it’s important to stand back from time to time and evaluate if they still make sense in our evolving environment. We’re due to unlearn some of the password best practices we have become accustomed to for decades, and apply a new normal to password management practices.
The fact is, 57% of people have not changed their outdated password behaviors to help them avoid a phishing attack. Part of the reason is because people are tired of spending 10.9 hours per year entering and/or resetting passwords. Therefore, if password practices don’t change, companies and people are increasing their risks for a computer security breach.
Updated Password Best Practices
The National Institute for Standards and Technology (NIST) has published a revised set of Digital Identity Guidelines which outlines what is considered password best practices for today. We won’t cover all four volumes of the NIST publication, but I strongly recommend you review them.
Some of the specific topics that are covered include:
Let’s have a look at some of the most commonly implemented password best practices when it comes to security, and compare them with the latest recommendations.
Variation of Alphanumeric Characters
It seems like we’ve forever been forced to pick passwords which contain a variation of numbers, upper- and lowercase letters, and special characters to make a password complex. However, NIST has stated this doesn’t lead to stronger passwords and the practice should be replaced by more dynamic support for password selection.
NIST recommends that organizations support users in selecting better passwords by checking chosen passwords against known weak passwords and leaked breach data. If you can’t perform in-line password checks as users generate or change their passwords, then be sure to provide very regular password strength checking. The availability of tools such as HashCat and similar password testing tools makes a quality check for password selection fairly easy.
We can also see that some vendors are integrating such functionality into their products. Microsoft, for instance, has added a “Risky Login” flag for users who log in to their Azure Active Directory using leaked credentials. Look for new functionality in your user account management system, as some other vendors are starting to integrate this functionality.
8-10 Characters Long
We’ve all come across examples where your password could be no shorter or longer than 8-10 characters. This can be seen in some of the larger organizations globally, no doubt because of restrictions with legacy systems.
It’s time to drop forced composition rules in favor of longer passwords. NIST is clear in its recommendations for password length. It suggests that passwords of at least 64 characters should be allowed. Lengthier phrases trump shorter gibberish passwords when it comes to security, and can also be easier to remember. Most of us would have an easier time remembering something like RetailTherapyBut!mBroke for our favorite shopping site, compared to something like [email protected]!lz98pL.
Forced Regular Password Changes
NIST has deprecated the widely-adopted practice of regularly changing your password, in case hackers have information without your knowledge. The argument against this practice lies with the human trait to select a password sequence or pattern to ease the workload of remembering passwords. So, what a user tends to do is add a number or other incremental character at the end of their current password each time they are forced to change it. This makes for a weak password.
A popular trend to recover forgotten passwords is allowing users to reset passwords if they successfully answer a hint question, like the make of their first car or their favorite teacher. The quality of hint questions can often leave a lot to be desired. Poor levels of entropy combined with all the personal data now shared on social media weakens the use of password hints.
NIST advises us to stop using hint questions as a means to help users recover account access. A more advanced form of password security is multi-factor authentication. Apple uses it and many other organizations offer it as well. This non-password based method used to log into systems allows the identification of someone based on their face, retina, hand or fingerprints, heartbeats, voices, location, time, and digital certificate, USB hardware token, and more. The added layers of protection lower the risk of hacking.
No Cut & Paste
Bizarrely, some sites currently prevent users from pasting their passwords into form fields, thereby breaking the automated use of password managers.
The use of password managers should be encouraged and supported by ensuring users can paste into password data entry fields. Password managers (also called password vaults), generate, synchronize, back up, and store passwords across multiple software and devices. This is all done in an encrypted form for powerful added security.
Some password manager options include:
As Security magazine reported, 80% of hacking-related breaches are tied to stolen or reused credentials, so securing employee access has never been more important.
Are you and your business practicing these updated password best practices? If not, we at Pluralsight encourage you to do so, for security’s sake.
5 keys to successful organizational design
How do you create an organization that is nimble, flexible and takes a fresh view of team structure? These are the keys to creating and maintaining a successful business that will last the test of time.Read more
Why your best tech talent quits
Your best developers and IT pros receive recruiting offers in their InMail and inboxes daily. Because the competition for the top tech talent is so fierce, how do you keep your best employees in house?Read more
Technology in 2025: Prepare your workforce
The key to surviving this new industrial revolution is leading it. That requires two key elements of agile businesses: awareness of disruptive technology and a plan to develop talent that can make the most of it.Read more