Password Policy

Password Security Standards and Guidelines

Passwords are omnipresent in our personal and business environments. An average person has around 100 passwords to remember for various accounts, and it is practically impossible to memorize unique, complex passwords for each of them. This leads to employees coming up with easy-to-remember passwords and reusing them for multiple accounts. Stolen, weak, or reused passwords are the top reasons for data breaches worldwide. It is up to the system administrators to ensure employees use strong and unique passwords for all their accounts.

Regulatory bodies and industry researchers publish information security guidelines to help organizations protect their passwords from cyberattacks. Some guidelines are industry-specific, and some others are industry-agnostic. But the objective of all the guidelines is to prevent cyberattacks and security breaches. Password security-related aspects find a place in almost all the guidelines. It makes sense to refer to these guidelines and adopt the best elements into your password policy, even if the guideline is not intended for your industry.

Password policy refers to the entire lifecycle of passwords - the way they are created, the complexity requirements, secure storage, safe transmission, periodic randomization, prompt deprovisioning, continuous monitoring, and more. In this blog, we try to introduce you to some of the most popular information security guidelines published and share the top 10 policy recommendations that we think every system administrator should implement in their organization.

Key password guidelines:

  1. Minimum length of 8 characters and maximum length of at least 64 characters if chosen by the user.
  2. Allow usage of ASCII characters (including space) and Unicode characters.
  3. Check prospective passwords against a list that contains values known to be commonly used, expected, or compromised. This includes passwords obtained from previous breach corpuses, dictionary Words, repetitive or sequential characters (‘aaaaaa’, ‘1234abcd’, etc.) and context-specific words, such as the name of the service, the username, and derivatives thereof.
  4. Limit consecutive failed authentication attempts on a single account to no more than 100.
  5. Allow "paste" functionality while entering a password.
  6. Provide a password strength meter.
  7. No complexity requirements or password expiration period.
  8. Enforce multi-factor authentication (MFA).
  9. Store passwords in a form resistant to offline attacks.
  10. Passwords shall be salted and hashed.