IT departments should implement and maintain effective password policies containing robust user identification and password practices. Millions of users worldwide continue to use 123456 and other easily guessed passwords (see here for 100,000 passwords to avoid). In a 2019 Ponemon study, 69% of respondents shared passwords with work colleagues, and 51% reused an average of five passwords across their business or personal accounts—contrary to best practices.
An added challenge is that users face password overload, spending hours per year resetting or entering passwords and managing the multitude of passwords they need for work and home. Consequently, they resort to unsafe habits like storing passwords on sticky notes under desks and using easily guessed or weak passwords. Poor password hygiene features prominently in security breaches, and studies like those conducted by Ponemon.
Complicating matters for IT departments is the reality that some “best” practices of the past have gone the way of leeches and lobotomy. Consequently, in recent years the National Institute of Standards and Technology (NIST) has updated the password guidance in its Digital Identity Guidelines. The updates reflect more informed information from years of research and observations of user and hacker behaviours. Other organizations like Microsoft have released updated guidance too (for example, see Microsoft’s Password policy recommendations for “Password guidelines for administrators”.
IT departments need to understand the risks associated with passwords and user identification and apply current best practices to mitigate the risks. Consequently, an understanding of user psychology is critical. Password overload is a fact of life. Users often, and despite being warned not to, click on links in phishing emails. The answer: less reliance on users and more on technical solutions, to safeguard access to IT systems. Notwithstanding the elevation of the technical over the human, user training on security awareness, phishing, and password hygiene is essential.
Some don’ts of effective password policies include:
- Do not force passwords to expire periodically. Users need to change passwords in limited circumstances, for example, if a password is compromised or forgotten.
- Do not impose mandatory password complexity rules, but allow password complexity. Although still a widespread practice, research shows that mandating complexity requirements (for example, a particular combination of letter cases, special characters and numbers) is ineffective. However, users should be able to incorporate complexity when they generate their passwords.
- Do not place upper limits on password length. Systems should accept up to 64 characters.
- Do not use knowledge-based authentication (KBA) or security questions, where a user is prompted for an answer to a question that, presumably, only they know. For instance, a KBA question would ask “What is your favourite flower?”.
- Do not use password hints, for example, “Word that your password rhymes with”. Password hints invite easily guessed answers, which make the password easy to guess. For instance, the answer “chimes” could lead to “dimes”, mimes” or other easy to guess (pass)words.
Instead, implement the following dos, to create more effective password policies:
- Do use single sign-on (create one user identity and associated password as a gateway to multiple IT systems and services) to reduce user burden and password overload.
- Do use backlists or dictionaries, which are lists of prohibited passwords (for example password123) and password-types (for example, repeating patterns, like AABBCC).
- Do train users in security awareness, including training on phishing and other social engineering.
- Do manage user identities and passwords, for instance, by assigning each user a unique identity with access rights based on least-privilege or need-to-have principles.
- Do use multi-factor authentication if appropriate, for instance, for banking or other sensitive applications.
- Do encourage passphrases (several words together, perhaps even a sentence) instead of passwords.
- Do encourage users to create different passwords for home and work.
- Do implement minimum password lengths. Require at least 8 characters.
- Do allow passwords to contain all printable ASCII characters (including letters, numbers, spaces, punctuation and special characters) and Unicode (including emojis and picture characters).
- Do use technical solutions like account throttling or lockout and reauthentication, for password recall and security. Account throttling forces increasing periods of delay between password attempts, while lockouts allow a pre-determined number of password guesses—between 5 and 10—before locking out users. Reauthentication procedures require users to reconfirm their identities and continued presence after extended periods of inactivity, failing which the system logs them off automatically.
Meeting your duty of care
IT departments must develop robust policies based on best practices, including assigning unique user accounts, implementing single sign-on, supplementing passwords with multi-factor authentication where appropriate, blacklisting passwords through password dictionaries, and implementing technical solutions instead of relying on user vigilance.
Utilize the policies and resources in Information Technology PolicyPro. SPP IT 8.03 – User Identification and Passwords to help you to implement and maintain robust policies based on best practices. Direct users to soon-to-be-updated guidance tailored for them in SPP IT 13.03 – Passwords.
Policies and procedures are essential to internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary in the areas of information technology governance and management, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30-day trial of Information Technology PolicyPro here.