Password Guidance

We’ve seen a lot of bogus password guidance lately. We’d like to take this opportunity to help set the record straight.

Did you know that the password “September2018!” fits commonly accepted password complexity rules? It contains at least one uppercase character, at least one lowercase character, at least one number, and at least one special character. For the end user, we completely understand the want to use passwords that are easily memorable, especially when your organization enforces antiquated password aging rules.

It is the opinion of Aligned Risk Management that password aging rules are dangerous because they encourage bad behavior from end users.

It is the opinion of Aligned Risk Management that password complexity rules are dangerous because they provide a false sense of security.

Our password policy is based on the ARM password triad mantra: all passwords must be (1) long, (2) unique, and (3) random.

“FourScoreAndSevenYearsAgo” is a long password. But it is neither unique, nor is it random. Try again.

“4vd23swds3” is a random password and is a unique password, but it is not long. It’s only ten characters. I have more digits on my hands and feet.

“SweepSlaveryDespairHouse4” is a long, unique, and random password. Well, it was unique, before we published this post, so don’t use it. Use the free password generator Correct Horse Battery Staple for strong, memorable passwords. http://correcthorsebatterystaple.net/

“Sweep slavery despair house4” is a long, unique, and random password. Well, it was unique, before we published this post, so don’t use that. But it’s a great example of a strong password. Use our free password generator for strong, memorable passwords: www.riskaligned.com/passwords

While they are arguably more susceptible to dictionary attacks, these passwords are infinitely more secure than “September2018!”. The tradeoffs are that each end user now creates a truly secure password, in exchange for not having to reset their password every 90 days. That, and…

USE TWO FACTOR AUTHENTICATION OR MULTI-FACTOR AUTHENTICATION WHEREVER POSSIBLE.

You need to rely on something other than passphrases alone.

Read more on two factor authentication here: www.riskaligned.com/2fa

Repeal your organization’s password aging rules. They do not help.

Also, here’s some guidance from the National Institute of Standards and Technology on good password practices: https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd

“Careful with those password rules: they’re antiques!”