What are the best practices for password policies?

Written By: Matthew James
Published On:

What are the best practices for password policies? Security Policies – and the eventual demise of the password 

I did something unusual (for me) the other day – I went out for a drink in Sheffield city centre. Why does that matter to you? And why would I write about it here?  Well it was while I was out mingling with actual real live people that a conversation arose about security and passwords (seriously, I’m an absolute blast when I am out on the town, honestly) and what the best policies are around passwords. It came to my attention that there are still a lot of people still following best practices from a decade ago… 

 For the longest time now, the primary method of securing most systems has been the use of a simple Username, and a Password.  As the first stage of proving to a system you are who you are and that you should have access, there are guidelines to help make it as secure as possible. 

From 2 reliable sources, National Cyber Security Centre and Microsoft:- Password policy: updating your approach – NCSC.GOV.UK and Password policy recommendations – Microsoft 365 admin | Microsoft Learn there is a lot of info in these 2 pages, but let’s try and extract some starting information 

  • Maintain a 14-character minimum length requirement 
  • Don’t require character composition requirements. For example, *&(^%$ 
  • Don’t require mandatory periodic password resets for user accounts 
  • Ban common passwords, to keep the most vulnerable passwords out of your system 
  • Educate your users to not reuse their organization passwords for non-work-related purposes 
  • Utilise machine generated passwords 

Many of the reasons for these above choices are given in the NCSC article. 

Ok, so we have a decent start, but does a strong password policy alone ensure that our systems are secure? I think you already know – no it does not.  It is just 2 short pieces of information that can be gleaned in a myriad of ways, from brute force attacks, key loggers, social-engineering, Phishing attempts, Shoulder surfing data breaches…. When you sit down and read about it there are a scary number of methods to discover someone’s password (a lot covered in the linked NCSE page if you want to read further)  

What are the best practices for password policies? Adding extra layers of security

What are the best practices for password policies? So, we have a decent enough start by implementing a password policy for our systems, how can we make things better?  Let us move beyond 2 simple pieces of information “things you know” (to other factors…. Let us look at “things you have” and “Things you are” – often referred to as “Multifactor Authentication“ or “MFA” – you probably know what some of these are even if you are not aware of it as more and more systems are (rightly) requiring you use it. 

Most widely used is “things you have”. This is where a subsequent proof of identity and intent to log in is provided via a second path, common examples are security keys – small USB “dongles that need to be inserted to your computer, codes sent to mobile phones via text, codes generated by a mobile app, or notifications reacted to on your phone. because you have your mobile – it is seen as something extra required to prove who you are, and your intent.  

Next up is “things you are” which is commonly biometric information, e.g. fingerprints. These are slightly more controversial as some people are concerned about such information being shared to third parties. In many cases, such as “Microsoft hello for business” facial recognition, Androids fingerprint recognition, and facial recognition – this information actually remains local to the device that you set it up on, which is why you need to set up your fingerprints again every time you get a new device – this essentially makes these systems “what you have” but with more convenience.  

Adding any of these additional systems greatly increases your systems’ security to breach from people that are not supposed to have access. There are also ways of conditionally implementing them dependant on different criteria on the fly – such as Microsoft’s conditional access policies where you may not require MFA confirmation if someone is logging onto a machine they have used previously, which is in your office, but from other locations require MFA to be completed too. 

Adding some of these factors together, some systems are moving to “passwordless” entry where you may need to use 2 other forms of authentication rather than your password at all. The password system is deeply ingrained – but it might not be with us forever. 

Beyond the points above, there are many layers that can be added to several systems to improve security of your data to help keep data from falling into the wrong hands. One of these is Data Loss prevention – a system available from Microsoft 365 to prevent sensitive information being shared outside your network, but we are progressing beyond the real intent of this article, for now let’s get to the right password policy in place, and MFA on every system that supports it, and we are onto a good start. 

So how can you get started? That’s easy! If you are one of our current customers, then please talk to us! We can help you look at the platforms that you use and help you get the best security in place for each of them, yep, even the ones we don’t have a direct involvement in, we are here to help you understand and get the most out of your IT. 

What if you are not a current contract client?  talk to us about IT Support anyway! We are always happy to help and even without detailed knowledge of all your systems we can point you in the right direction with advice to make improvements