Contact us

Creating a password policy for your small business

by Chris White, Software Engineer

Every business needs password policies - even individuals need password policies. You're probably wondering where to start? What makes a strong password policy? Let's clear the air.

Foundations of a strong password policy

  1. Length Equals Strength: password length is the fundamental basis of password strength. The federal goverment recommends the longest password possible within reason. This is because greater password length equals greater entropy. Greater entropy makes passwords more difficult to guess. There is, however, a caveat. Predictable patterns and reused substrings make passwords easier to guess. They tend to look like:

    - limited character sets: aaaaaaaaaaaaaaa | passwordpassword

    - reused substrings: catcatcatcat | dogdogdogdog

  2. Complexity Does Not Equal Security: complex passwords are hard to crack, but humans aren't. Password composition rules enforcing the use of special characters, numbers, and casing requirements lead to predictable passwords and password reuse because remembering complex passwords is difficult. This leads to passwords that look like:

    - replace e with 3, a with @, l with 1, o with 0: r3@11yc00lp@ssw0rd

    - capitalize first letter, add number and special character: Password1!

  3. Expiration Does Not Equal Safety: password expiration policies are antiquated. The web was once the wild west and password rotations were suggested at 90 and 180 day intervals during that time. It's finally dawned upon the last vestiges of password interval cronies that this is bad practice. Passwords should only be rotated when they're suspected or known to be compromised.

  4. Multifactor Equals Certainty: multi-factor authentication adds an additional layer of security. This layer of security involves three specific factors that insulate access to protected resources:

    - something you know: password | passphrase

    - something you have: authenticator app | hardware key

    - something you are: fingerprint | facial recognition

Two approaches to creating user generated secrets

  1. Passphrase: a passphrase is a sentence or phrase that's easy to remember but hard to guess. Passphrases should be random, unique, and 20-30 characters in length.

  • Pitfalls: humans are predictable creatures and we love our free lunch. This leads to passwords like highwaytohell and sweethomealabama . These song lyrics are likely to end up on a passphrase list. They're unlikely to be guessed in a rate-limited authentication flow, but they'll be cracked almost immediately if your password database is leaked in a breach. Another flawed approach involves using common and easily identifiable personalizations from your life. Your kids are Kyle, Skylar, and Luke? Let's just add mom and dad to the end: KyleSkylarLukeMaryBob . That's a relatively strong password unless you're being individually targeted.

  • Examples: a better approach is to take something you enjoy from multiple parts of your life. For example, if you enjoy the color blue, love your cats, eat bananas, and despise mornings, you could create a passphrase like morningcatbluebanana . This passphrase is easy to remember (after a few tries) and hard to guess. The more words you add, the stronger the passphrase becomes. Important to note is that illogical ordering and nonsensical word combinations are part of what makes a passhphrase difficult to guess.

  1. Password: a random string of characters that is hard to guess. No unified standard for password length exists, but passwords should be 12 to 30 characters in length. Complex composition rules lead to poor password hygiene, nevertheless, requiring case-sensitive alphanumeric and special characters is the standard. We'll review a mitigating factor that makes password hygiene trivial so don't give up yet!

  • Pitfalls: humans are either your strongest asset or your weakest link depending on the angle at which you observe. How we change the observation angle is beyond the scope of this post, but poor password hygiene isn't so let's discuss. As with passphrases, people tend to personalize passwords with family member names, dates of birth, and life events. This practice leads to simple passwords with predictable patterns like: f3lici@0728 and M0md@d1975 . This is bad practice because attackers build a complete dossier on victims during targeted attacks. They'll also sometimes reflect attacks off of trusted insiders, meaning nobody is safe.

  • Examples: The most powerful passwords are long, ultra-random, machine generated passwords like h"3%<U~GD4u6'k]y{g~ . Modern operating systems tend to offer robust, machine generated passwords built into the OS. These random password generators can be a part of your password hygiene strategy.

Both approaches are susceptible to cracking

Rate limiting and account lockout policies help mitigate this risk when hashed passwords are stored securely, but passwords and passphrases are both susceptible to brute force attacks offline. Length is the only mitigating factor that might prevent a password from being cracked when attackers have control of the password hash—a secure, cryptographic representation of the password.

Multi-factor authentication helps to mitigate this risk by adding a layer of security between a cracked password and account takeover.

Password managers

Password hygiene is difficult and is often a source of frustration for users. A good password manager almost immediately makes password hygiene trivial. It might take a few days for any user to adapt to a new password manager, but the ROI in terms of improved security posture are immense. I'll stop short of suggesting any specific password manager, but I certainly recommend using one.

Testing password strength

There are a number of tools available online to test your password strength, but I thought I'd provide a powerful open-source tool that you can run locally. Dropbox's zxcvbn is a password strength estimator that uses common password patterns to estimate the strength of a password. It's not a tool that's intended for every day use, but instead for training. This tool provides a visual representation of password strength to help users understand the difference between strong and weak passwords. Keep in mind that no password is truly safe and all passwords can eventually be cracked. Strong password hygiene is a matter of making that exercise as difficult as possible for attackers.

Feel free to share this article with anyone who might benefit from it. This strength meter runs locally in your browser and no data is transmitted anywhere outside of your browser.

Password strength
--
Estimated guesses needed
--
Crack time online, no rate limit
--
Crack time online, rate limited
--
Crack time offline, slow hashing
--
Crack time offline, fast hashing
--

Crack time online: estimated time to crack on the web.

Crack time offline: estimated time to crack with physical access to hashed password.

Rate limiting: slows attackers by limiting attempts per hour.

Your security policies

Developing strong security policies is an important first step in improving your security posture. This process can be a hassle, but dealing with a breach can be catastrophic. Reach out if you need assistance developing security policies within your organization.

Contact us

More articles

The Grinch Who Smished Christmas: An Active Campaign Leveraging USPS and the Holiday Spirit

Explore an active (as of the date of this article) smishing campaign targeting the rush of online shopping spurred by the holiday season. Uncover the tactics used by cybercriminals (grinches) to manipulate victims into harmful online scams that stink, stank, stunk.

Read more

Using GPG Keys to Secure Data Confidentiality and Integrity

An introduction to asymmetric cryptography through the exploration of GPG keys and their use in verifying, signing, encrypting, and decrypting data.

Read more

Tell us about your project

Reach out to us

Mailing Address

  • Five9 Cyber
    5319 University Dr
    PMB 2478
    Irvine, CA 92612