1. Implement 2FA or MFA
To know about the Top 10 rules for password management. Even the most diligent and careful end user can make a costly password mistake. For example, in a hurry, they could accidentally put their password in the wrong field.
In most cases, 2FA and MFA stop bad actors from accessing accounts, even if they have the correct login credentials. There are many good 2FA and MFA tools out there that are available for free, and also feature push notifications.
2. Implement a Password Manager
With a password manager, users only need to remember two sets of login credentials instead of dozens, allowing them to become virtually passwordless. The first set of credentials is for their own system, and the second is to access the password manager. The password manager can also ensure that users choose very strong passwords or passphrases (see best practice #3) that are at least 16 characters in length.
In addition, if the password manager supports Microsoft’s Single-Sign-On (SSO), then users only need to create and remember one set of login credentials. Organizations that use SSO can even take things a step further and implement password-less authentication with solutions like Microsoft Hello (which uses biometrics) or Yubikey (which uses hardware).
3. Use Passphrases
When users are obligated to remember passwords (i.e. when implementing passwordless authentication is not feasible), then length needs to be favored over complexity. This is because many users rely on patterns and tricks to help them remember passwords, such as “Password123!”, or they use the practice of “Leetspeak” — the act of changing letters for similar characters such as “p@55w0rd” instead of “password”). These techniques are widely known and actively exploited by malicious actors.
Unfortunately, the vast majority of users cannot remember a 16+ character password without resorting to these patterns and tricks, which is why a passphrase makes sense. As a little while ago, a passphrase is much longer than a typical password (which makes it less vulnerable to a brute force attack), and it contains letters, symbols, spaces, and numbers. For example: “My Purple Dog, Paul, Loves When I Play Frisbee With Him”. As you can see, it is wiser to choose a passphrase that doesn’t make logical sense and is not associated with the user (i.e. the user in this example does not have a dog, purple or otherwise ??). For even better security, users can mix languages.
4. Change Passwords After Proof of a Compromise
In the past, organizations were advised to have end users regularly change passwords. These days, however, the guidance from NIST is very different: end users are better off NOT regularly changing passwords because research has shown that they typically choose weaker, easier-to-crack credentials. Instead, users should only change passwords when there is evidence of a compromise.
To check for evidence, organizations can use services like the Have I Been Pwned? Domain Search, which finds all email addresses on a particular domain that have been caught up in a known data breach. It is also possible to receive email notifications if email addresses appear in future breaches. This helps prevent bad actors from bypassing 2FA with social engineering, as the organization will know when to change passwords and on which services.
5. Compare Passwords Against a List of Known Weak and Compromised Passwords
It’s important for this list to include words related to a user’s personal or work environments, such as the company name and the username. This is good protection against a dictionary attack, which will try a list of known passwords. Common dictionary passwords include things like “qwerty1!” and “1122334455667788”, and the most known password list would be rockyou.txt.
To streamline and standardize this process, organizations should deploy a password manager or remote connection tool that has built-in password checking functionality. Also, Azure AD offers a password protection feature. For their personal accounts, end-users should be encouraged to use a tool like Have I Been Pwned? to see how many times a potential password has been breached.
6. Enforce Just-in-Time Access for Privileged Accounts
Hashes are often stored on a system when users or administrators connect on a machine. This can lead to a pass-the-hash attack, in which bad actors steal hashed credentials and reuse them to trick an authenticated system into creating a new authenticated session on the same network. Importantly, it is not necessary to crack the password — just to capture it, which means that it doesn’t matter how long or complex the password/passphrase is.
To reduce this risk, organizations should implement just-in-time access for privileged accounts by using a robust Privileged Account Management solution. One option is Devolutions Server, which features a PAM module that enables administrators to approve or reject access requests. It is also possible to enforce a mandatory password change after a credential has been used and/or at a scheduled time/date.
7. Enforce a Password History Policy
Organizations should enforce a password history policy to ensure that end-users do not select old passwords. The Center for Internet Security (CIS) recommends setting this value to 24 or more (section 1.1.1). In addition, the policy should also enforce a minimum password age. Otherwise, end-users could change their password multiple times within a few minutes in order to re-use the preferred password they started with.
8. Eliminate Password Re-Use
Speaking of password re-use: a surprisingly common practice is for users, and even some administrators, to re-use passwords all over the place. While this is convenient, it is also very risky and ill-advised. However, there are also scenarios where password re-use is not intentional. Unfortunately, this means that compromising one machine unlocks all of them.
An excellent and practical solution to this problem is to implement a Local Administrator Password Server (LAPS) for Windows domains or rely on a third-party solution.
9. Enable Copy/Paste Passwords
In theory, users should not be allowed to copy/paste passwords. But in reality, it is advised — because otherwise, users are likely to choose a password that is both easy to remember and simple to type.
And in case you think we’ve gone crazy, we aren’t the only ones recommending this. Here is what NIST says “Verifiers SHOULD permit claimants to use ‘paste’ functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”
10. Enroll End Users in a Cybersecurity Training Platform
While it is not strictly part of a password management process, in the bigger picture it is nevertheless vital for end-users — who are and always will be the biggest part of the threat surface — to make sure they are part of the solution, instead of unintentionally part of the problem. Managers can also track end-user progress to identify knowledge gaps and training needs. To study more about our other blog.