Password policy

A password policy is a set of rules that are implemented to protect systems and applications from unauthorized access due to weak login credentials or processes. A key part of an organization’s security posture, a robust password policy is crucial for effective access controls. It directs the creation and use of passwords to optimize overall protection by minimizing the misuse or theft of passwords.   

NIST guidelines on password policies 

User password policy criteria

• Users should be presented with the password policy and allowed to create their own.  
• Passwords created by a user should be at least eight characters in length, but can contain up to 64 characters. 
• Users should be permitted to use all printing ASCII (RFC 20) characters and the space bar in their passwords as well as Unicode (ISO/ISC 10646) characters; each code point should be counted as a single character.  
• A password policy should not impose any other restrictions on users’ choice of passwords (i.e., there should not be additional complexity requirements); for instance, users should not be required to create a password with a mixture of different character types or prohibit consecutively repeated characters.  
• Users should not be required to change their passwords unless there is evidence that the password has been compromised.   

Password policy and blacklists

Before confirming a user’s selected password (i.e., new or updated), it should be compared against a list of guessable values, because they are expected or commonly used, or known to be compromised. Examples of guessable types of passwords are passwords obtained from previous breach corpuses, dictionary words, repetitive or sequential characters (e.g., aaaaaa and 1234abcd), and context-specific words (e.g., the name of the service, the username, and derivatives of these). 

If the password selected by the user is rejected because it does not meet the specified criteria or it is included on a blacklist of compromised passwords, the user will be required to select a different password. In this case, the users should be advised as to the reason their password was rejected. 

Password policy for cut/paste and display functions

Users should be allowed to use the cut and paste functions to enter passwords into forms. In addition, users should be given the option to display their password when it is entered to confirm that it is correct. 

Password policy for failed login attempts

A rate-limiting mechanism should be implemented to restrict the number of failed login attempts that can be made on a user’s account to protect against online guessing attacks. According to NIST 800-63B Section 5.2.2, no more than 100 attempts should be allowed. 

Password policy for password protection

Encryption and authentication solutions should be used to transmit requested passwords securely. In addition, passwords should be salted and hashed using a suitable one-way key derivation function. The salt should be:  

• created by a random bit generator 
• at least 32 bits in length 
• chosen arbitrarily 

The hash should be as large as the verification server performance will allow, usually at least 10,000 iterations. 

Password policy for random generation

If a password is randomly generated by the application or system, it only needs to have a minimum of six characters. 

Password policy for quality

A password-strength meter should be used to show users the quality of their proposed passwords. This helps promote the creation of strong passwords and dissuades users from making slight modifications to rejected passwords that result in it being approved, but being of low quality.   

Password policy for suggestions

Under no circumstances should users be allowed to store a password clue that could be accessed by anyone but themselves. In addition, prompts may not be given as clues. For example, it is not acceptable to ask users for security questions and answers to be used as prompts, such as the name of their first pet, the model of their first car, or their mother’s maiden name. 

Highlights of NIST SP800-63B Password Policy Guidelines

-Allow ASCII characters, Unicode characters, and spaces to be used in passwords.  -Do not enforce complexity requirements or password expiration period.  -Enable copy-and-paste functionality while entering a password.  -Implement and enforce multi-factor authentication (MFA).  -Limit consecutive failed authentication attempts on a single account (note that NIST recommends capping this number at 100, but most experts agree that the number should be in the single digits).  -Mandate a minimum length of 8 characters for passwords.  -Provide a password strength meter.  -Require that passwords are salted and hashed.   -Check all prospective passwords against a list of values known to be commonly used, expected, or compromised, such as passwords that:  —Include words that appear in dictionaries.  —Are obtained from previous breach corpuses.  —Have repetitive or sequential characters (e.g., aaaaaa and 1234abcd).   —Use context-specific words (e.g., the name of the service, the username, and derivatives of these).  -Store passwords in a form resistant to offline attacks (e.g., encrypted).

Other password security standards and guidelines

Following are examples of password policy standards and guidelines. 

Center for internet security (CIS)

The CIS Password Policy Guide’s objective is to be a single comprehensive password policy that can serve as a standard wherever a password policy is needed. Key CIS password policy guidelines include: 

• Allow all character types in a password and require at least one non-alphabetic character for password-only accounts. 
• Allow Paste in password fields when using a password manager. 
• Automatically suspend an account without a valid login in 45 days. 
• Change the password immediately in the event of a breach. 
• Check on new password creation against an internal deny list of at least 20 known poor or weak passwords and the previous five passwords. 
• Do not allow user-defined password clues at login. 
• Enforce the expiration of passwords after one year.   
• Implement temporary account lockout for 15 minutes or more after five consecutive failed attempts, with time-doubling throttling (in minutes) between each retry with a permanent account lockout (IT reset required) after 12 retries. 
• Lock open sessions after 15 minutes of inactivity. 
• Alert key personnel when the above bad login attempts reach the limit. 

Criminal Justice Information Services (CJIS)

CJIS is the largest division of the FBI that provides tools and services for law enforcement, national security community partners, and the general public. The password policy guidance provided by CJIS closely follows NIST 800-63B. Several additional recommendations by CJIS relate to password policy, including: 

• Biometrics should only be used only as part of multi-factor authentication with a physical authenticator. 
• Change default passwords prior to first use. 
• Establish administrative procedures for initial password creation, lost/compromised/damaged passwords, and revoking passwords. 
• If and when a password expires, it should be usable again. 
• Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.  
• Notify users immediately if there is suspicion that a password has been lost or stolen.  
• Reauthenticate users at least once per 12 hours, during an extended usage session, and after 30 minutes if the user is inactive. 
• Update passwords annually or when there is evidence of compromise. 
• Use multi-factor authentication for privileged and non-privileged accounts. 

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Security Rule provides national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA password requirements come under the Administrative Safeguards of the HIPAA Security Rule and include: 

• Establish guidelines to create and change passwords in a periodic cycle.
•  Implement procedures for creating, changing, and safeguarding passwords.  
• Train the workforce on ways to safeguard password information. 

International Organization for Standardization/International Electrotechnical Commission 27002

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It includes password policy guidelines to prevent unauthorized access to systems and applications, including: 

• Change default vendor passwords after the installation of systems or software. 
• Create quality passwords with sufficient minimum length, which are: 
  • Easy to remember. 
  • Not based on anything someone else could easily guess or obtain using person-related information (e.g., names, telephone numbers, and dates of birth). 
  • Are not vulnerable to dictionary attacks (i.e., do not consist of words included in dictionaries). 
• Do not use the same secret authentication information for business and non-business purposes. 
• Ensure proper protection of passwords when passwords are stored and used for automated log-on procedures. 
• Prohibit the use of consecutive identical, all-numeric, or all-alphabetic characters. 
• Store and transmit passwords in protected (e.g., encrypted or hashed) form. 
• Use interactive password management systems that: 
  • Allows users to select and change their passwords. 
  • Do not display passwords on the screen when being entered. 
  • Enforce the use of individual user identification (ID) and passwords to maintain accountability. 
  • Force users to change their passwords when they log on for the first time. 
  • Maintain a record of previous user passwords and prevent reuse. 
  • Prompts users to change passwords regularly and when there is a compromise.  
  • Requires the use of quality passwords. 
• Store password files separately from application system data. 

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)

NERC CIP has standards that specify the minimum security requirements for bulk power systems. It has password policy requirements for power system operators, including: 

• Change known default passwords. 
• Enforce password changes or an obligation to change the password at least once every 15 calendar months. 
• Limit the number of unsuccessful authentication attempts. 
• Require that password length be at least eight characters, including three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, or non-alphanumeric). 

Payment card industry data security standard (PCI DSS)

PCI DSS includes requirements to protect sensitive information and maintain privacy. As part of this, it provides password policy guidelines, including: 

• Always change vendor-supplied passwords.   
• Disallow passwords from being hardcoded on scripts. 
• Do not allow an individual to submit a new password that is the same as any of their last four passwords. 
• Force users to re-enter their password if they have been inactive for more than 15 minutes.  
• Limit repeated access attempts by locking out the user ID after not more than six attempts.  
• Prompt users to change their passwords at least once every 90 days.   
• Require that passwords have a minimum length of 12 characters and contain both numeric and alphabetic characters.  
• Provide a password strength indication on creation.   
• Use multi-factor authentication wherever possible.   
• Require a minimum length of 14 characters for password-only accounts and eight characters for MFA-enabled accounts, allowing the maximum password length to be as long as possible based on system constraints. 

Components of a password policy

Below are several key components that should be included in a password policy. 

• A ban on password sharing 
• Criteria for an acceptable password (e.g., length, complexity, and exclusions) 
• Limitations on password reuse  
• Number of failed login attempts allowed and related procedures for lockouts 
• Parameters for acceptable password strength 
• Password storage guidelines and requirements 
• Process for changing a password  
• Requirements for multi-factor authentication (MFA) 
• Rules for password expiration and reset 

Corporate password policy best practices

Below are the core best practices when developing a password policy. 

Enforce the password policy

Use automated systems to enforce the password policy and conduct random audits to confirm that users follow the rules that cannot be automated. 

Keep the password policy up to date

An organization’s password policy should be reviewed and updated on a regular basis to ensure that it continues to align with the latest best practices and utilizes the optimal available technology.   ‘

Require the use of strong passwords and usage protocols

To keep unauthorized users from guessing passwords, they should follow these guidelines. 

• Change passwords in the event of a compromise. 
• Check user-proposed passwords against a list of commonly used, expected, or compromised passwords.  
• Direct users to never share their passwords. 
• Encrypt stored passwords. 
• If passphrases are used, they must consist of three or more dictionary words joined by non-alphabetic characters (e.g., Party-1999@Lake!bLue). 
• Implement multi-factor authentication (MFA). 
• Passwords must:  
  • contain at least eight alphanumeric characters. 
  • contain at least one uppercase alphabetic character and at least one lowercase alphabetic character. 
  • contain at least two non-alphabetic characters and at least three alphabetic characters. 
  • not contain easily guessed or obtained personal information, such as names of family members or pets. 
• Passwords should not be reused. 

Use penetration testing

Take a proactive approach to security and leverage ethical hackers to probe systems and test users to identify adherence to password policy and other security gaps.   

Password policy FAQ 

Frequently asked questions related to password policy include the following. 

What types of issues does the enterprise face when password issues occur?

Failure to follow a password policy results in a number of issues. The three most serious issues are: 

1. Data breach
2. Compliance failures and penalties 
3. Unauthorized access to systems and other assets 

What is a corporate password policy?

A corporate password policy uses best practices and standards in a manner that fits with specific internal requirements for workflows, security, and compliance. 

How should the corporate password policy be communicated? 

All users that access corporate assets should be aware of and understand the organization’s password policy. This should be communicated in several ways, including as part of: 

• The employee manual 
• Onboarding 
• Security training 
• System prompts when accessing assets 
• Updates and reminders from security and IT teams 

Password policy enforcement is a critical first line of cyber defense

Simply implementing and enforcing best practices and standards for password policies can stop a commonly exploited attack vector. Providing training and guardrails that require users to follow password policy and process rules ensures that vulnerabilities are minimized to protect sensitive assets from unauthorized access. 

You might also be interested in: