Password Best Practices
posted: Oct. 29, 2024 #opinionA month or so ago, I was on a call with a security consultant at a well-respected firm that conducted an external pen test for the company I work at. Everything was going along smoothly, no major issues to address.
We had some extra time and were just chatting when the subject of password rotation came up. One of my coworkers asked what the best practice for password rotation is. To my amazement, they said to force changes every 30-45 days but definitely no longer than 90 days.
This person reasoned that if a password is compromised and leaked, it would only be good for a short time. Fair enough, that is logical.
Since then, I’ve thought about password best practices a great deal. My conclusions are similar to what Microsoft and NIST recommend.
Rotation
Forced password changes promote bad password hygiene. I’ve seen countless sticky notes stuck to monitors or taped to laptops. I’ve known many users that utilize patterns like Password-01 which gets changed to Password-02, etc. For a threat actor, it’s pretty simple to detect these patterns then determine the correct password via trial and error.
NIST and Microsoft consider it best practice to use more complex passwords that don’t expire, then only force a password change if it is believed the account was compromised.
Complexity
Use a minimum of a 12 character password. Ensure you are using upper-case, lower-case, numbers and special characters in your password.
Avoid using easily identifiable information such as pet names or family member birthdays. Don’t use the site name or a generic dictionary word that describes the site. For example, don’t use Email123! for your email login.
My recommended method for passwords is actually using a pass-phrase. A pass-phrase combines several random words together with number(s) and special character(s). For example “Dosage-Overcoat-Disburse4” is an incredibly strong password that is still easy enough to type.
Reusing passwords can be dangerous. If one of your accounts is compromised, attackers could potentially access all of your other accounts.
Password Manager
These handy tools take a lot of work out of passwords. Use a reputable password manager and keep everything in it. I use mine to generate all of my passwords and ensure I’m not re-using a password anywhere.
A great option is Bitwarden. The free plan is enough for most everybody and if you need more features, the cost is trivial. Another option I recommend is 1password.
Two-Factor Authentication
Use two-factor everywhere it’s supported. Don’t use SMS if you can avoid it. Use a phone app like Microsoft Authenticator or even better, a hardware key such as a Yubikey.
Conclusion
Put simply, good password hygiene takes work and is a moving target. As threat actors become more sophisticated, passwords and authentication must adapt.
If you take one thing away from this article, use a password manager. The small bit of effort it takes to setup and get used are well worth it.
For some extensive reading, you can check out NIST’s recommendations here.
2024. Skip Barker - All rights reserved.