Complexity, uniqueness, and periodic change have long been considered the best password practices, but new recommendations have resulted in changes to password policies. Passwords were supposed to solve the authentication problem. Instead, they have become a major source of contention. Users continue to use weak or easy-to-guess passwords and reuse passwords across multiple services. They also have a tendency to question limitations: “Which of these rules appears to be reasonable? Which are the most efficient? Why do we have so many requirements?”
Password policies are evolving, even if user attitudes are not. Experts recommend focusing more on checking passwords against known weak password lists and less on password expiration policies. The following are the current best practices in use:
- Set complexity requirements, such as meeting a character minimum, and use specific character types (mixed case, numerals, and special characters).
- Stop users from using previously used passwords.
- Passwords should be changed on a regular basis, if possible.
- Passwords should be checked against lists of the most common or especially weak passwords.
Password guidelines
Passwords supplied by users must contain at least eight alphanumeric characters; passwords generated by systems must contain at least six characters and may be entirely numeric. Passwords of the following types should be avoided:
- Passwords stolen in previous breaches
- Dictionary words
- Characters that are repetitive or sequential (e.g., aaaaaa or 1234abcd)
- Contextual words, such as the service’s name, username, and derivatives thereof
- Passwords should not be stored
The default settings in Windows are not always the same as those in Windows Security Baselines, which are groups of policy settings “based on feedback from Microsoft security engineering teams, product groups, partners, and customers.” The baselines are part of the Microsoft Security Compliance Toolkit, which also includes policy-related administration tools. Because it is a Microsoft-endorsed configuration, the Security Baselines are another very common setting. The most recent and intriguing settings are the minimum and maximum password age. The minimum age is the number of days before users can change their password. The maximum number of days before users must change their password. The minimum default for both Windows and security baselines is one day; the maximum defaults to 42 days for Windows and, until recently, 60 days for security baselines. Almost all default configurations have these options enabled.
The ground rules for password complexity
- The account name or variations on the account name may not be included in the password.
- It must include characters from three of the five groups listed below:
- Uppercase letters (A through Z, with diacritical marks)
- Lowercase letters (A through Z, sharp S, with diacritical marks)
- Non-alphanumeric characters (special characters): Base 10 digits (0 through 9); (~!@#$%^&* -+=`|(){}[]:;”‘<>,.?/)
Policy best practices
- Keep up with the latest recommendations for creating and storing secure passwords.
- Reduce the likelihood of user password failures.