You are currently viewing 10 Best Password Policy Best Practices 2022

10 Best Password Policy Best Practices 2022

Data breaches can create a lot of issues for a business overnight, so administrators must teach users how to employ security measures. Password policy practices will help you with that.

The best password policy best practices help users focus on length, uniqueness, and randomness. At the same time, it’ll encourage them to enable other security measures, such as 2FA, for more protection. Explaining why these requirements are in place is a must.

Users will seldom follow a policy unless they understand why it’s in place. For that reason, we’ll explain the best practices, dive deep into them, and round it all up by showing you why they’re necessary.

Table of Contents

What Are The Best Password Policy Practices?

The perfect password policy will ask users to create a password that’s unique, difficult to crack, and borderline impossible to hack. For that to happen, users should follow these three key practices:

  • Use random words. Hackers will find a way to figure things out if you use parts of a song or personal information as your password. However, no human or software will guess your password if you make up random words on the spot.
  • Make it as long as possible. An 8-letter password could take less than an hour to crack; in contrast, a 16-letter password could take years.
  • Avoid using familiar concepts. Using your pet’s name, birthday, or address as a password is a great way to have your account hacked. Social media makes it easy for hackers to find details about anyone, so using personal information as a password is a terrible idea.

Users don’t usually know what makes a strong password or why websites have so many requirements for them. However, using these password policy best practices is key to keeping data breaches at bay.

Top Password Policy Practices

1. Encourage Users To Create Unique Passwords

Repeating passwords is the worst thing someone can do, other than using bland ideas (like using “password” as a password.) For that reason, encouraging people to avoid reusing passwords is a must.

At the same time, crawling for leaked data is a nice idea: you can look for leaked passwords and prevent anyone from using them. Some browsers (like Chrome) will advise users to avoid doing so, but it never hurts to be extra careful.

2. Require Passwords To Be Long

A computer doing a brute force attack (guessing a password one character at a time) will take 2 minutes to guess an all-letter 8-character password. So, if your password is “password,” it’ll take a computer less time to crack it than it’ll take you to finish reading this article.

However, if you add special characters and numbers to the mix, it’ll take that same computer around 40 minutes to crack it. In contrast, a computer will need 173 million years to crack a 16-letter password – and that’d be one without numbers and special characters!

So, the longer your password is, the less susceptible it is to brute-force attacks.

3. Recommend Users To Avoid Common Places

Nobody wants to forget their password and have to go through the recovery process. However, if your password is easy to remember for you, hackers may have an easy time guessing it.

Most of our information is online, and you can’t turn a blind eye to that. For that reason, you should avoid using your second name, job description, address, and similar information as your password.

4. Explain Why Randomness Is Better Than Complexity

Some hackers use dictionaries to hack passwords. That doesn’t mean they look for new words in the dictionary to use them one by one: they download entire dictionaries to their password-cracking software and make their computers try different combinations.

For that reason, randomly-created words are better than standard ones. Or, at least, seemingly-random ones. For example, “dogcatmouseparrot” will be easier to crack than “torrapesuomtacgod” – and that’s nothing but reversing the words we just used. 

Add numbers and uppercase letters to our example (i.e., “t0rraPeSuomTacg0d”) and you have something that no computer will crack, no matter how many dictionaries it uses.

5. Forget About Expiration Periods

We’ve all dealt with expired passwords: after 90-or-so days, you have to change your password for a brand new one. It supposedly prevents hackers from guessing long-used login credentials. However, studies show this method is more trouble than it’s worth.

For starters, users will never come up with a brand-new password every 90 days. They’ll use a variation of their old password. Or, even worse, they’ll start using easy-to-remember words (which, as you now know, will be easy for a hacker to guess or a computer to crack).

It’s better to explain password policy best practices to users than to force them to change their credentials every 30, 60, or 90 days, which pushes people to make unnecessary mistakes.

6. Forbid Password Sharing

Sharing passwords is a great way to get hacked. It should be forbidden, and in little to no scenarios should users feel the need to do so. 

However, users should change their password as soon as possible if they do share it as a last resort to deal with an important issue. 

If a user has to send a password to another person, they should use a secure channel to do so. Passwords are very delicate information, and sharing them out in the open is not a good idea. Encrypted communication is often the go-to way to share login credentials.

7. Blacklist Common Passwords

Common passwords should be blacklisted. That list should include the most common passwords (such as, once again, using “password” as your password) and other words people usually use for their login credentials, such as their company’s name.

These blacklists help users avoid common places that make them vulnerable when a hacker attacks a system or organization. Using this method ensures there are fewer chances of having a weak link.

8. Demand More From Privileged Users

Everything on this list is the bare minimum users should do to avoid getting hacked. A long, seemingly random, complex password that’s never shared is enough to keep hackers at bay – but not enough if someone is getting targeted.

Privileged users (administrators, for example) have access to a lot of sensitive data. If their login credentials were leaked, your company would be in jeopardy: a small business only has a 40% chance of recovering after a cyber attack.

For that reason, the more responsibilities and access to information a user has, the more should be demanded from them in terms of security.

9. Ask Users To Enable 2FA

Two-Factor Authentication (or 2FA for short) is a great way to add another wall around your system. Unfortunately, hackers can manage to leak or figure out even the strongest passwords in the world – so you need a little failsafe mechanism when that happens.

How does 2FA work? It’s logging into an account with extra steps. First, you input your username and password. When you successfully pass that step, you’ll activate the 2FA mechanism. 

There are different ways to use 2FA, although receiving a code on your cellphone is the most common. You write down that code to finally log in, and you can’t get access without the code, even if you have the password.

Why is 2FA important? Because it helps deal with password leaks. If someone gets your login credentials, they’ll also need your cellphone – or they won’t get past the 2FA process to successfully log in.

10. Be Clear About Your Policy

Users will reluctantly follow your password policy best practices if you don’t explain why you’re putting them in place. 

Take the time to explain why security is important (and the consequences of an insecure system). People will be more enthusiastic about taking their security and passwords seriously when that happens.

Creating a password policy and not communicating it to users is setting yourself up for failure. 

Do you want to have a successful password policy? Take the time to explain what users have to do and why it’s important for them to do it.

Why Do You Need A Password Policy?

  • People use easy passwords. The number one most used password is “password.” The second most used password is “12345.” That shows a clear-cut pattern of what’s wrong when it comes to the average user and their security practices.
  • Most users don’t know how to create a strong password. Terrible password policies have taught users the wrong way of creating passwords. Most believe picking a word and replacing vowels with numbers is enough. However, that’s easy for a computer to crack. You want long passwords, not needlessly complex ones.
  • You’re one data breach from trouble. According to IBM, a data breach costs 9 million dollars on average. Of course, it may not cost that much if you own a small website or company, but the cost of a possible data breach is enough to bankrupt you.

Conclusion

The best password policy best practices ask users to create long, unique, and seemingly-random passwords. They also ask users to enable 2FA. At the same time, they prevent certain harmful practices, such as password sharing and reusing.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.