What are password security best practices?

Implementing essential password security measures

With password-based attacks becoming increasingly sophisticated, password security is more crucial than ever. Creating strong passwords that are not easily compromised is the key to maintaining the integrity of critical information. As stated by SpyCloud , 64% of Fortune 1000 employees reuse passwords across multiple sites. This practice significantly increases vulnerability to credential-stuffing and other password-based attacks, highlight ing how compromised credentials can lead to the organization's critical data being stolen or damaged.

What is password security?

Password security is the overall practices, tools, and measures designed to protect passwords from being compromised or misused by unauthorized individuals. As passwords play a crucial role in protecting personal and sensitive data from unauthorized access, their security is paramount. However, weak or compromised passwords continue to be a major vulnerability for attackers to gain access to accounts.

Why does password security matter?

Passwords protect identities, financial information, and personal data. When compromised, they can expose sensitive information, which can lead to identity theft, financial loss, and security breaches. Strengthening password security is necessary to mitigate these risks and protect critical systems.

The National Institute of Standards and Technology (NIST) provides key guidelines for password management in its 800-63B publication, emphasizing the need to balance security and usability. Similarly, ISO 27001, an international standard for information security management systems (ISMS), outlines requirements for password management as part of its comprehensive security framework.

10 best practices for password security

• Prioritize length over complexity: Longer passwords are better than shorter, more complex ones. User-generated passwords should be at least eight characters long, while auto-generated passwords should have a minimum of six characters.
• Avoid reusing passwords: Using the same password across multiple accounts increases vulnerability to many password attacks. Create unique passwords for each account to prevent unauthorized access if one is compromised.
• Implement password blocklists: Use blocklists to prevent the use of known compromised passwords. Avoid using common words, predictable sequences (e.g., "12345"), or personal information like birthdays or names.
• Enforce accounts lockouts: Users must be locked out of their accounts after 5-10 failed log-in attempts. Properly managed, account lockouts significantly enhance defenses against password attacks while maintaining a good user experience.
• Secure password storage: Do not store passwords in unencrypted formats, such as text files or written notes. Apply hashing and salting methods to strengthen security and make it difficult for attackers to crack them.
• Avoid password hints: Do not use password hints that could provide attackers clues about the account's password. Instead, create unique passwords that are easy to remember.
• Use multi-factor authentication (MFA): Combine passwords with other authentication factors which enhances security by requiring users to prove their identity through multiple factors. Even if a password is compromised, MFA can safeguard data against unauthorized access.
• Use passphrases: Use passphrases, which are a sequence of words or a sentence that are easy to remember but still secure.
• No mandatory periodic resets: Contrary to old practices, NIST recommends against forcing periodic password changes. Passwords should only be changed if there is evidence of a compromise or breach.
• Use a password manager: Password managers securely store and generate unique passwords for each account, reducing the need to remember multiple passwords and avoiding issues like password reuse.

Enterprise password security

Enterprises today handle vast amounts of sensitive data and use multiple applications across their networks. A key element in enterprise password management is Active Directory (AD), which centralizes identity and access management. AD stores and manages credentials for all user accounts and devices, making it a prime target for cyberattacks. The compromise of any password, particularly one linked to privileged accounts, can lead to business disruptions.

To mitigate these risks, implementing best practices for password security within AD is essential. This includes enforcing strong password policies with at least 12-16 characters, enabling account lockout policies, password history policies, and expiration policies to ensure protection against emerging threats.

Master your password policies with ADSelfService Plus

ADSelfService Plus is an identity security solution that helps you implement strong AD password policies in your organization. The Password Policy Enforcer allows you to set stringent password rules, preventing risks from weak or compromised passwords. ADSelfService Plus also tracks users' password history, manages account lockouts, sends password expiration notifications, and offers audit and reporting capabilities. In addition to these features, ADSelfService Plus provides adaptive MFA with support for a wide range of authenticators. It offers MFA for endpoints, cloud and on-premises applications, VPNs, and Outlook on the web.

FAQ