Passwords are like the keys to your company’s network. Your users use them to log in to computers, access email, and connect remotely via VPN. And just like the key to the front door of your offices, a password in the wrong hands can allow unwanted “visitors” into your network -- where they can steal confidential information, destroy data, and expose your company to liability.
Hackers have many ways of stealing passwords. One of the oldest -- and still effective -- methods is called a brute-force attack. Using automated tools, an attacker will try thousands of passwords against your VPN login, your email system, or any other publicly accessible entry point to your network, until they find a password that works.
And in some cases, the attack isn’t even that sophisticated. If a hacker can manually guess common passwords -- like password or 1234567 -- the effect is the same: full access to your network, and lasting damage to your business.
To defend against these attacks, your company needs a strong password policy.
In this two-part series, we will first examine the components of a good policy. And how you can decide what is best for your business and your users. In the second part, we will show you step-by-step how to implement a policy on a Windows AD DS domain.
How To Build a Strong Password Policy (Without Driving Your Users Crazy!)
When developing a policy, you’ll need to consider the trade-off between security and user-friendliness. Longer, more complex passwords will be harder for your users to come up with and remember. And making the rules too strict will incentivize your users to try to find ways to circumvent them.
So, for each component of a solid policy, we’ll discuss the pros and cons of more restrictive vs. more lenient options. You’ll need to take into consideration the requirements of your business when choosing these options. For example, if your company is subject to HIPAA or PCI security rules, you’ll want to consider erring on the side of security.
Password Length: We recommend a minimum password length of no fewer than 8 characters, but consider increasing this to 10 or even 12 characters.
This has a direct relationship on the amount of time it would take an attacker to guess it using an automated tool. For example, increasing the length of a reasonably complex password from 8 to 10 characters increases the amount of time required to guess it from just a few minutes to several years.
Password Complexity: Users should use a mix of character types in their passwords, including uppercase and lowercase letters, numbers, and symbols or special characters. Again, adding complexity exponentially increases the amount of time it would take an attacker to guess the password.
Dictionary words should not be allowed. These are too easily guessed. Even with basic character substitutions (like P4$$w0rd, for example), automated tools can make short work of these kinds of passwords.
Password Expiration: Users must be required to change their passwords periodically -- but the question is, how often? If the expiration period is too short, users may have trouble coming up with suitable passwords. They might fall back to insecure practices like using the same password with a minor variation. But if the period is too long, it may provide ample time for an attacker to discover and use a compromised password against you.
A good place to start is 6 months. If you require higher security, consider decreasing the expiration to every three or four months -- but no lower than this.
Account Lockouts: If a user tries an incorrect password too many times, you should configure your system to lock them out temporarily. This will protect your network against the brute-force attacks that we have discussed. Balance is needed. A few bad password attempts may be from someone who doesn’t realize that he/she has caps lock on. More than 10 attempts in a short period of time should lock the account out for at least 30 minutes. Possibly an hour, to make sure that nothing suspicious is happening.
Implementing Your New Password Policy
When making a change, it's important to communicate the new policy clearly to all of your users. Are you going to be forcing everyone to change their passwords at the same time? Or will it go into effect next time they change it themselves? And of course, tell them the specific details. How many characters, which types of characters are required, and how often it will expire. Communicate this change clearly. It can mean the difference between a smooth, painless security upgrade and an office full of frustrated workers.
Our next article will show you exactly how to implement your new password policy in a Microsoft Active Directory domain. Stay tuned!