Sensible Password Policy

I've been tasked with putting together the company security policy. As part of this I want to define what is a sensible but secure password (length, characters etc), how often they should be changed, length of password history and so on.

Obviously I need to balance security against practicality.

What do people generally consider a good password policy?

Jon Hopkins

Posted 2009-07-22T08:27:29.323

Reputation: 1 936

Answers

Wikipedia has a nice summary on this topic

Common password practice Password policies often include advice on proper password management such as:

never sharing a computer account
never using the same password for more than one account
never telling a password to anyone, including people who claim to be from customer service or security
never writing down a password
never communicating a password by telephone, e-mail or instant messaging
being careful to log off before leaving a computer unattended
changing passwords whenever there is suspicion they may have been compromised
operating system password and application passwords are different
password should be alpha-numeric
make passwords COMPLETELY random but easy for you to remember

Suggestions from TU Delft:

Characteristics of acceptable passwords

a password contains at least eight characters, and
it contains at least one upper case letter, and
it contains at least one lower case letter, and
it contains at least one digit or another character such as!@#$%^&(){}[]<>... , and
it is not a term in a familiar language or jargon, and
it is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and
it is easy to remember, for instance by means of a key sentence, and
it can be typed in fluently.

Best practices for protecting passwords

avoid the use of the same password for work and private life;
regard all passwords as sensitive information, and do not share them with the accounts of colleagues, family members or other acquaintances;
do not reveal passwords to colleagues, one’s boss or other acquaintances, neither in normal circumstances nor in the event of leave or sickness;
do not mention any password in public, by telephone or in unencrypted communication;
never note down a password in a freely accessible location;
do not give any hints about the mnemonic used to remember your password;
never provide information about a password in questionnaires or security forms;
if misuse is suspected, then report this to the security organisation and immediately change all involved passwords;
if someone wants to know a password, then refer him to this policy.

Ivo Flipse

Posted 2009-07-22T08:27:29.323

Reputation: 24 054

With the proliferation of keyloggers and phishing attacks, it may behove your organization to consider alternatives to "strong" passwords. See Bruce Schneier's blog about the paper Do Strong Web Passwords Accomplish Anything?

I would strongly suggest using two-factor authentication. Between footballs, SecureID, and Yubikey, it is very easy and relatively inexpensive to implement a second factor of authentication.

pcapademic

Posted 2009-07-22T08:27:29.323

Reputation: 3 283

I like Passwordsafe for keeping track of passwords.

My suggestions:

Encourage pass phrases, not words. A nonsense phrase made up of 3-4 words is easier to remember than 8 garbled characters.
Set a reasonable maximum lifetime. From 3 to 6 months.
Do not rely on 1337 speak to protect a password. Brute force dictionary attackers such as Crack have been doing letter->number changes for close to 20 years. But do require letters, numbers, upper- and lowercase and punctuation.
Do not rely on non-english words words for security. Any fool can load multiple dictionaries into a program. Doesn't matter if he speaks the language or not.

pgs

Posted 2009-07-22T08:27:29.323

Reputation: 3 153

+1 for passwordsafe. I don't actually know most of my passwords, and they are all different, even all of the random web stores. – RBerteig – 2009-07-22T09:40:30.507

Good reminder that simple number/letter substitution is not a good defence. I assume dictionary cracks are entirely comfortable with people simply appending numbers too? – Jon Hopkins – 2009-07-22T10:33:52.453

@Tyrannosaurs: If it can be automated you can bet someone's tried it. Dictionary attacks are slow, but easily parallelised. Imagine a bot-net attacking passwords. – pgs – 2009-07-22T10:45:52.737

I think a good question here is: should password managers be part of a company's security policy? Should regular users (except probably those from IT) be allowed to have password managers in their workstations? – Isxek – 2009-07-22T14:47:11.077

I personally don't have a problem with it. I can reset passwords on any machine I admin, and other machines are not my problem. Of course, single sign on and properly managed permissions are better than multiple passwords and a password manager. – pgs – 2009-07-22T15:00:09.467

By "except probably those from IT" I mean they should be allowed :) – Isxek – 2009-07-22T15:40:23.147

For personal stuff I use

For important things; GMail, Web Host, Online Banking - a different 16-bit randomly generated (A-Za-z0-9) stored in a KeePass DB on DropBox encrypted with a complex but easily remembered passphrase. Perhaps a bit overzealous but it's not much extra hassle.
For common, less important things - forums, non-money related accounts etc, I use a set of simpler passwords.

Tom

Posted 2009-07-22T08:27:29.323

Reputation: 571

You need to choose a "sensible" frequency for how often they should be changed. Too quickly and people will degenerate into <old_password>+<number> (or something similar), so slowly and you increase the risk of the password being compromised. It might be worth investigating whether there's a rule you can set up to guard against this.

Equally you need to have a rule that says a password can't be reused for so many changes (perhaps 10) so that people aren't just swapping between two (or three) passwords for their account.

Make the password at least alphanumeric with at least one capital. To make it slightly more secure add that there's got to be at least one non alphanumeric character too.

ChrisF

Posted 2009-07-22T08:27:29.323

Reputation: 39 650

You could have something like a password generator like SuperGenPass. So they could have a weak password but the string generated would be extremely strong. But that would be more for website logins.

Other options would be:

Use 1337 speak in passwords.
Use phases with punctuation e.g. This, is a very very long password!
Join the two [Th1s, is a v3ry v3ry l0ng p4ssw0rd!]

Stephen

Posted 2009-07-22T08:27:29.323

Reputation: 1 302

SuperGenPass is not so you can have a weak master password, just so you only have to remember one strong one. This is an important distinction. – itsadok – 2009-09-03T07:33:19.833

There is no reason to think that swapping numbers for vowels will offer any protection whatsoever. – Chris Burgess – 2012-02-23T21:23:52.117

Short version:

The admin part of me says 12-16 character passwords with both lower and upper-case letters and numbers. Also should have a random text part that's not in any dictionary. Should be sufficient to prevent network-based brute-force attacks.

As a user I like passwords that are easy to remember, even though they might be long (16 characters and up). Once I memorize it I can type it fast enough. Maybe instead of only enforcing a policy you should find clever ways to teach your users to choose secure and easily-remembered passwords, not just random chunck of characters.

Saulius Žemaitaitis

Posted 2009-07-22T08:27:29.323

Reputation: 289

On Friday I had to change my password at my client site. The rules they have are ridiculous. They are all the standard ones about must have uppercase, punctuation, minimum length, etc as well as.

The first character cannot be punctuation character.
No dictionary words.
The same character cannot be used twice.

The problem is that they are so complex it is almost impossible to find one, particularly as the error message does not tell you the additional requirements they have.

I called the help desk and they said, just use one like this Pa5word# (not the real password) and then keep incrementing the number ....

I find these systems completely crazy as they stop you from using passphrases for example "thisismypasswordforjanurary" is very easy to remember and very secure, but most systems wont allow those types of pass phrases.

So I would vote for a high minimum length, say 15-20 characters that way people can't just use words and l33t style passwords aren't required.

Whatever you choose, I would make sure you document what the restrictions are, and why they are there and some examples for users to help them generate secure ones.

Bruce McLeod

Posted 2009-07-22T08:27:29.323

Reputation: 5 490

This is a common one on military systems, you have to change the passwd each month and can't reuse the last 12 passwords. It results in people just putting a number or the date on the end of simple passwords – Martin Beckett – 2009-07-22T14:14:56.943

Most anwsers here go straight to suggesting policies. Which does answer the question so that's good. But in my opinion you need to ask yourself this first: how important is the information you are protecting?

For instance, the password policy for the department of defence to secure confidential information will proably be quite different from the policy you'll use for throwaway email accounts.

Mark van Lent

Posted 2009-07-22T08:27:29.323

Reputation: 236