Top 10 Password Policy Advice for Sysadmins in 2023 (2023)

Passwords are ubiquitous in our personal and business environments. The average person needs to remember about 100 different account passwords, and it's nearly impossible to remember unique and complex passwords for each one. This leads employees to create easy-to-remember passwords and reuse them for multiple accounts. Theft, weak or reused passwords are the most common causes of data breaches worldwide. It is the system administrator's responsibility to ensure that employees use strong and unique passwords for all their accounts.

Regulators and industry researchers are releasing information security guidance to help organizations protect passwords from cyberattacks. Some guidelines are industry-specific, while others are industry-independent. However, the goal of all guidelines is to prevent cyberattacks and security breaches. The aspect of password security has a place in almost all guides. Even if these guidelines don't apply to your industry, it's worth reviewing them and applying the best elements to your password policy.

Password policies address the entire password lifecycle: how passwords are created, complexity requirements, secure storage, secure transmission, periodic randomization, fast logout, continuous monitoring, and more. In this blog, we try to introduce you to some of the most popular published information security guidance and share the top ten strategic recommendations that we think every sysadmin should implement in their organization.

Password Security Standards and Guidelines

1.NIST SP800-63B

National Institute of Standards and Technologyis a non-regulatory agency of the U.S. Department of Commerce. Develop technologies, standards and best practices to ensure information security. NIST publishes its Digital Identity Guidelines (NIST Special Publication 800-63B) was published in October 2017, with some sections updated in 2020. Section 5.1.1 (Secrets to Remember) of that document discusses passwords and how they are managed and stored. While meeting regulatory compliance requirements is the job of federal agencies, any organization can benefit from implementing these guidelines.

A Critical Guide to NIST Cryptography

• If selected by the user, the minimum length is 8 characters and the maximum length is at least 64 characters.
• Both ASCII characters (including spaces) and Unicode characters are allowed.
• Validate potential passwords against a list of commonly used, expected, or at-risk values. This includes passwords, dictionary words, repeated or consecutive characters ("aaaaaa", "1234abcd", etc.), and context-specific words (such as service names, usernames, and their derivatives) taken from a corpus of previous breaches.
• Limit the number of consecutive failed authentication attempts per account to no more than 100.
• Allow "paste" functionality when entering passwords.
• Provides a password strength meter.
• There are no complexity or password validity requirements.
• Apply multi-factor authentication (MFA).
• Store passwords in a format that is resistant to offline attacks.
• Passwords must be salted and encrypted.

2. Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard (PCI-DSS Version 3.2.1) is a set of requirements to ensure that sensitive data is protected, privacy is maintained, and networked systems are sufficiently reliable against cyber-attacks. These guidelines are provided byPCI Security Standards Council (PCI SSC). It is a global forum that brings together payments industry stakeholders to develop and support the adoption of data security standards and resources to enable secure payments globally. PCI standards are not specific to any one country or organization, but rather serve as a set of global standards that anyone can follow. Requirements 2 and 8 of this document address password requirements for logging into the cardholder data environment.

Key Guidelines for PCI-DSS Passwords

• Before installing the system on the network, be sure to change the default settings (passwords and settings) provided by the provider and remove or disable unnecessary default accounts (see 2.1).
• Delete/block inactive user accounts within 90 days (see 8.1.4).
• Reduce repeated login attempts by locking out user identities after no more than six attempts (see 8.1.6).
• Set the lockout time to at least 30 minutes or until the administrator enables the user ID (see 8.1.7).
• If a session has been inactive for more than 15 minutes, require the user to re-authenticate to reactivate the terminal or session (see 8.1.8).
• Password/phrase must be at least 12 characters and contain both numeric and alphabetic characters. (see 8.3.6)
• Passwords must have a minimum length of at least seven characters and contain both numeric and alphabetic characters (see 8.2.3).
• Change user passwords at least every 90 days (see 8.2.4).
• Do not allow anyone to send you a new password that is the same as any of the four most recent passwords (see 8.2.5).
• Set passwords to unique values ​​for each user on first use and after reset, and change passwords immediately after first use (see 8.2.6).
• Authenticate user access to resources using one or more of the following methods: password or password, any biometric method, smart card, or token authentication. These authentication mechanisms must be encrypted during transmission and storage. (See 8.3.1.)
• Invalid authentication attempts are limited as follows: User identification is blocked after no more than 10 attempts. Set the lockout time to at least 30 minutes or until the user's identity is confirmed. (see 8.3.4)
• People cannot submit a new password that is the same as any of the four most recently used passwords. (see 8.3.7)
• If you suspect or know that your password has been compromised, change your password. (see 8.3.8)
• Implement and enforce MFA in all CDEs and remote access, and document all MFA (8.4.1 through 8.5.1)
• Passwords cannot be scripted and must be changed periodically (8.6.2, 8.6.3)

3.ISO/CEI 27002

ISO/IEC 27002:2013 is an information security standard published by ISO/IEC 27002:2013International Organization for Standardization (ISO)IInternational Electrotechnical Commission (IEC). It is intended to serve as a reference point for selecting security measures during the implementation of an Information Security Management System (ISMS). ISO 27002 5.17 controls enable organizations to properly allocate and manage authentication information, eliminate the risk of failure during the authentication process, and prevent security risks that may arise from the disclosure of authentication information. Sections 9.2, 9.3, and 9.4 of this document discuss password guidelines for preventing unauthorized access to systems and applications.

Key Guidelines for ISO/IEC 27002 Cryptography

• Change the provider's default secret credentials after system or software installation (see 9.2.4.g).
• Avoid keeping records of secret credential information (e.g., on paper, software files, or mobile devices) unless it can be stored securely and the method of storage has been approved (e.g., a password vault) (see 9.3.1 .b).
• If a password is used as a secret credential, choose a high-quality password with an adequate minimum length, i.e.:
  1. easy to remember;
  2. It is not based on anything that can be easily guessed or obtained by anyone else using information about that person, such as name, phone number and date of birth;
  3. They are not vulnerable to dictionary attacks (i.e. they do not contain words found in dictionaries);
  4. not have the same consecutive characters, all numbers or all letters; and
  5. If temporary, it is changed on first login (see 9.3.1.d).
• Do not use the same secret credential for commercial and non-commercial purposes (see 9.3.1.g).
• Provide adequate protection for passwords when they are stored as secret authentication information during automated login processes (see 9.3.1.f).
• Password management systems must be interactive and provide high-quality passwords (see 9.4.3).
• Sensitive data such as passwords must be masked and prevented from leaking.
• password managementThe implemented system must:
  1. Mandatory use of individual user IDs and passwords to maintain accountability;
  2. Allow users to select and change passwords and include confirmation procedures to allow data entry errors;
  3. enforce high-quality passwords;
  4. Force users to change their passwords on first login;
  5. Enforce periodic and as-needed password changes;
  6. Track users' previous passwords and prevent them from being reused;
  7. Do not display the password on the screen when entering it;
  8. separate password files from application system data; and
  9. Store and transmit passwords in protected (encrypted or encrypted) form (see 9.4.3).

4. CIS Password Policy Guidelines

CIS Password Policy GuidelinesThe goal is to create a comprehensive password policy that can serve as a standard when a password policy is required. announcer:Center for Internet Safety(CIS), a not-for-profit organization whose mission is to "identify, develop, validate, promote, and maintain best cyber defense practices." They are responsible for CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. Last updated in December 2021 to include the following guidelines:

Key CIS Password Guidelines

• Use MFA whenever possible (see 2.1).
• A minimum length of 14 characters is required for One-Time Password accounts and 8 characters for MFA-enabled accounts (see 5.1.1).
• According to system constraints, the maximum password length should be as long as possible (see 5.1.1).
• Do not limit the maximum length of passwords (see 5.1.1).
• All types of characters are allowed in passwords, and password accounts are required to have at least one non-alphabetic character (see 5.1.2).
• If your password is compromised, please change it immediately, with a one-year period as a security guarantee (see 5.1.3).
• Validate the creation of new passwords against an internal reject list of known weak and bad passwords (at least 20 popular passwords) or the previous 5 passwords (see 5.1.4).
• Mandatory password change delay of at least one day (see 5.1.4).
• Lock the current session after 15 minutes (or less) of inactivity (see 5.1.5).
• After five consecutive failed attempts, the account will be temporarily banned (15 minutes or more) (see 5.1.6).
• Throttling doubles the time in minutes between each retry (0, 1, 2, 4, 8, etc.) and permanently locks the account after 12 retries (requires IT restart) (see 5.1 .6).
• Monitor and alert key personnel when previously failed login attempts reach login limits (see 5.1.7).
• Your account will be automatically suspended after 45 days without a valid login (see 5.1.8).
• User-defined password "prompts" at login are not allowed (see 5.1.9).

Optional suggestions:

• Provide some sort of password strength indication at creation time (see 5.2.1).
• Allows full passwords to be displayed on creation and each character temporarily displayed on entry (see 5.2.2).
• Promote the use of a.password manager(Version 5.2.3).
• Allow pasting into password fields when using a password manager (see 5.2.4).

5. CIP NERC

NERC Critical Infrastructure Protection (NERC-CIP) is a set of standards that define minimum safety requirements for bulk power systems. announcer:North American Electric Reliability Corporation (NERC)is a not-for-profit international regulatory agency whose mission is to protect the reliability of the North American bulk power system. In Table R5CIP-007-6 - System Security ManagementThe document details password policy requirements for power system operators.

Key Guidelines for the NERC CIP Cryptography

• Change known default passwords according to network asset capabilities (see 5.4).
• Passwords must be at least eight characters long or the maximum length supported by the web property (see 5.5.1).
• The minimum password complexity, which is the lesser of three or more different types of characters (eg, uppercase letters, lowercase letters, numbers, non-alphanumeric characters) or the maximum complexity supported by the web property (see 5.5.2).
• Mandatory password changes or at least every 15 calendar months (see 5.6).
• If possible, limit the number of failed authentication attempts, or generate an alert when the failed authentication attempt threshold is exceeded (see 5.7).

6. HIPAA Security Principles

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires national standards to protect sensitive patient health information from disclosure without the patient's consent or knowledge. The HIPAA security principles describe how organizations must protect electronic protected health information (ePHI). HIPAA password requirements are regulatedadministrative securityHIPAA security standards.

HIPAA security rules require organizations to implement procedures for creating, changing, and protecting passwords. He also recommends training employees on how to protect password information and developing guidelines for creating and changing passwords on a regular basis.

HIPAA intentionally does not provide specific guidance on password complexity. HIPAA provides no specific guidance on password complexity, but the security standard §164.312(d) requires organizations to implement a process to verify who is seeking access to electronically protected health information. To comply with HIPAA, organizations can follow the NIST Cryptography Guidelines.

Enterprise Password Policy Recommendations

Based on these password guidelines, here's a breakdown of the top ten password policy recommendations:

1. Use longer passwords

Hackers use methods such as brute force attacks to gain access to your account. In the case of a brute force attack, the hacker runs the program and checks all possible combinations of letters, numbers and symbols until he finds the right one. Each extra character multiplies the time it takes to crack the password. Adding numbers, symbols, uppercase and lowercase letters to passwords makes it very difficult to brute force them. Therefore, it is safer to have long and complex passwords.

Try to keep passwords at least 12 characters long and enrich them with numbers, symbols, and uppercase and lowercase letters.

2. Do not reuse passwords

When a large-scale data breach occurs, email addresses and passwords are often leaked onto the internet. If you reuse your credentials across multiple accounts, and one of your accounts is compromised, hackers can easily gain access to your other accounts as well. If you choose unique passwords for each account, even if a hacker has credentials for one of your accounts, the rest of your accounts will remain safe. Also, avoid modifying and reusing the same prefixed or suffixed passwords (for example, password1, password2).

3. Do not use personal information

Many people use names, birthdays, phone numbers, and other personal information in their passwords. While they are easy to remember, they are readily available on the internet and easily accessible to hackers. Use random combinations of uppercase and lowercase letters, numbers, and special characters to increase password complexity and reduce the risk of potential compromise.

4. Change the password to prevent disclosure

Today, we witness massive credential breaches every day. Whenever such an incident is reported, please change your password immediately if you have any dealings with the victimized organization.
Passwords exposed as a result of various data breaches around the world are made public in the form of data dumps. In many cases, users do not know when their passwords are exposed through a credential compromise attack. If a cracked password is used, it could trigger a wave of cyberattacks. You can use similar productsA Secure Password Vault for BusinessesIt proactively scans dumps on a regular basis and verifies that any passwords stored in the product match those exposed in known data breaches.

5. Check your passwords against the list of commonly used, expected, or compromised passwords.

One of the key recommendations is thatNIST SP800-63BPassword guidelines compare potential passwords to lists of values ​​that are known to be commonly used, expected, or violated when passwords are changed. As mentioned above, products such asA Secure Password Vault for Businessescan help you do it easily.

6. Never text or email your password

If you share your username and password with someone via email or text message, even if that person can't share it with anyone else, your credentials could be exposed if your email account or device is compromised. Use a safe method such aspassword manager share password。

7. Avoid Repeating Passwords

Organizations must ensure that end users do not repeat old passwords. The policy should specify a minimum password age. Otherwise, end users can change passwords multiple times and reuse old passwords within minutes.

8. Set up password auditing

You should monitor your team's compliance with password security policies. Regular audits help ensure password policy compliance and identify and change weak passwords.

9. Implement AMF

Multi-factor authentication provides an additional layer of security. Access to your account requires at least two authentication factors: something you know (password), something you have (generated unique authentication code), and who you are (fingerprint). Always use multi-factor authentication when available.https://twofactorauth.orgThis is a great reference point.

10. Start using your password manager.

Keeping Excel spreadsheets or writing them down on paper is a dangerous way to store passwords. The most effective solution to maintaining general password hygiene is to use a password manager. andpassword managerHelps you create strong passwords and store them securely according to the best practices listed above.

While implementing these recommendations will not bring you into compliance with the above, they will serve as a good starting point for keeping your information secure.

How Securden can help you enforce a strong password policy

While creating a strong password policy is important, you also need the right tools to enforce this policy seamlessly across your organization. andA Secure Password Vault for Businesses, you can define policies that specify password strength and complexity requirements, password reset frequency, and other criteria. Once a policy is defined, Securden helps enforce it in a fully automated fashion.

You can create any number of custom policies or use predefined policies and assign them granularly to different types of accounts. For example, you can apply one policy for Windows servers, another for databases, and another for Internet accounts.

Once policies are defined, you can track compliance status at the organization level. Securden provides useful reports showing violations and corrective actions that need to be taken.

Securden also helps you regularly check that your stored passwords match those found in known data breaches. Administrators, auditors, account owners, and other designated users can receive email notifications when compromised passwords are detected.

schedule a demostart30 day trial available now。