Full Report
Darin Roberts // “Why do you recommend a 15-character password policy when (name your favorite policy here) recommends only 8-character minimum passwords?” I have had this question posed to me […] The post Passwords: Our First Line of Defense appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Password Security Policy and Strength
## Overview
These practices address the critical need to establish strong, resilient password policies, particularly challenging the common industry standard of 8-character minimums, due to the high success rate of password spraying and brute-force attacks when weak credential standards are in place. The focus is on increasing password minimum length to deter automated attacks, even in the presence of Two-Factor Authentication (2FA).
## Key Recommendations
### Immediate Actions
1. **Review Current Minimum Password Length:** Immediately audit all organizational login portals (email, VPN, custom portals) to identify if the minimum password length is set to 8 characters or less.
2. **Halt Weak Password Policy Deployment:** If deploying new systems or updating authentication policies, mandate a minimum password length of **15 characters** instead of accepting NIST 800-63 or Microsoft O365 (8-character) recommendations as sufficient.
3. **Verify 2FA Bypass Vectors:** For all systems protected by 2FA, explicitly test or review the failure modes of the secondary authentication mechanism (e.g., testing if soft tokens are linked to easily compromised secondary accounts like a VoIP service).
### Short-term Improvements (1-3 months)
1. **Implement 15-Character Minimum:** Begin the phased rollout to enforce a minimum password length of **15 characters** across all external and high-risk internal authentication points.
2. **Enhance Monitoring for Password Spraying:** Deploy or tune security monitoring tools to detect rapid, low-success login attempts across multiple user accounts (indicative of password spraying) on all external portals.
3. **Improve 2FA Implementation:** Review and remediate any scenario where a 2FA token can be redirected to a system protected only by single-factor authentication (e.g., securing associated VoIP or legacy backup methods).
### Long-term Strategy (3+ months)
1. **Develop Comprehensive Credential Strategy:** Formulate a long-term identity and access management (IAM) strategy that prioritizes password strength (length/complexity) as the **first line of defense**, ensuring 2FA is treated as a crucial secondary layer, not a substitute for strong passwords.
2. **Regular Credential Policy Audits:** Schedule quarterly reviews of external and high-value internal applications to ensure that outdated, weak password policies (like 8-character minimums) have not inadvertently been reintroduced or reverted by system updates.
3. **User Education on Modern Threats:** Initiate focused security awareness training that specifically explains *why* longer passwords are now necessary (due to the effectiveness of password spraying on short passwords), moving beyond generic complexity requirements.
## Implementation Guidance
### For Small Organizations
- **Prioritize External Access:** Focus immediate efforts on setting the 15-character minimum for email, VPNs, and any cloud services accessed externally, as these are the primary targets for initial compromise via password spraying.
- **Simple Enforcement:** If setting complex rules is burdensome, prioritize increasing the *length* requirement significantly (to 15+) over complex character mix rules, as length provides exponential security gains against dictionary/spraying attacks.
### For Medium Organizations
- **Systemic Policy Change:** Use Group Policy Objects (GPOs) or central IAM tools to enforce the 15-character minimum across the entire domain/identity provider infrastructure.
- **Targeted Remediation:** Divide users into tiers based on access risk. Target high-risk users (executives, administrators) for immediate password reset mandates to the new, longer length standard.
### For Large Enterprises
- **Phased Rollout with Communication:** Implement the 15-character minimum through a controlled rollout schedule, leveraging extensive change management communication explaining the security rationale behind the increase (combating spraying).
- **Integrate with PAM:** Ensure the new policy is integrated and strictly enforced by Privilege Access Management (PAM) tools for all service accounts and administrative credentials.
- **Baseline Reporting:** Establish continuous monitoring and reporting metrics to track compliance with the new minimum length standard versus legacy requirements flagged in older, unmanaged systems.
## Configuration Examples
*Note: Specific technical commands for varying platforms (e.g., Active Directory, Azure AD, proprietary VPNs) are omitted here, but the target configuration values are specified.*
| Component | Configuration Goal | Recommended Value |
| :--- | :--- | :--- |
| Minimum Password Length | Set the baseline requirement for all newly created or reset passwords. | **15 characters** |
| Maximum Password Lifetime | (Implied Best Practice, as frequent rotation is less critical than length) | Recommend 90-180 days, or continuous use based on advanced entropy, **provided the length is 15+**. |
| Password Spray Detection Threshold | Configure SIEM/logging to alert on repeated failed login attempts across accounts. | Typically 5-10 failed attempts from a single source IP within a short window (e.g., 5 minutes). |
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** While NIST currently suggests 8 characters for memorized secrets, organizations should justify deviation based on current threat intelligence, pushing for higher entropy achieved through length (15+) to offer stronger protection against offline cracking and online spraying.
- **CIS Critical Security Controls:** Aligns directly with **Control 5: Account Management** and **Control 14: Security Awareness and Skills Training** by establishing strong credential rules and educating users on the required changes.
## Common Pitfalls to Avoid
1. **Relying Solely on 2FA:** Assuming that the presence of 2FA negates the need for strong passwords. Attackers often target the 2FA mechanism itself (e.g., by compromising linked services). Strong passwords block access to the primary factor, preventing the attack chain from progressing.
2. **Accepting Vendor Defaults:** Blindly adopting security recommendations provided by major vendors (like Microsoft's O365 8-character minimum) without local threat context analysis. Current threat environments render these defaults insufficient.
3. **Ignoring Spraying Vectors:** Focusing security efforts only on interactive logins while ignoring automated password spraying attacks directed at external email or VPN portals.
## Resources
- **NIST Special Publication 800-63-3:** *Digital Identity Guidelines: Authentication and Lifecycle Management* (For understanding existing standards).
- **Microsoft Documentation:** Reviewing Microsoft's existing password policy guidance (to understand the baseline being argued against).
- **Threat Intelligence Feeds:** Monitoring current industry reports on successful password spraying campaigns to continually justify the increased length requirement.