Full Report
Most of you still can't do better than 123456? 123456. admin. password. For years, the IT world has been reminding users not to rely on such predictable passwords. And yet here we are with another study finding that those sorts of quickly-guessable, universally-held-to-be-bad passwords are still the most popular ones.…
Analysis Summary
# Best Practices: Password and Authentication Security
## Overview
These practices address the critical security risk posed by the widespread use of weak, easily guessable, and common passwords (e.g., "123456," "password," dictionary words). The goal is to enforce robust authentication policies that prioritize password length and complexity, ultimately reducing an organization's exposure to credential stuffing and brute-force attacks.
## Key Recommendations
### Immediate Actions
1. **Audit and Ban Common Passwords:** Immediately implement a blocklist enforcement mechanism across all authentication systems (including SSO, VPNs, and local accounts) to reject any password found on known common password lists (such as the list derived from the 2025 CompariTech study and similar industry benchmarks).
2. **Enforce Minimum Length Threshold:** Where passphrases are not yet mandated, immediately set a *minimum* acceptable password length of **12 characters** across all user accounts.
3. **Audit "Admin" and Default Accounts:** Conduct an immediate audit to identify and force a complex password reset on any user account, especially administrative accounts, still using default credentials (e.g., "admin," "administrator") or trivial passwords.
### Short-term Improvements (1-3 months)
1. **Migrate to Passphrase Policy:** Develop and deploy a policy favoring **long passphrases** over complex, short passwords. Guideline: Encourage phrases that are lengthy, memorable, and contain at least 16 characters.
2. **Introduce Simple Randomization Prompts:** For users who resist passphrases, implement a requirement to incorporate *at least one* numeric character or symbol, applied consistently (e.g., substituting 'O' for '0' or appending sequential numbers). However, prioritize length over complex character substitution rules.
3. **Promote Password Manager Adoption:** Deploy and mandate the use of organizational password managers (or explicitly recommend secure personal ones) to generate and store long, random passwords, reducing reliance on user memory.
### Long-term Strategy (3+ months)
1. **Implement Phishing-Resistant MFA:** Strategically plan and roll out Multi-Factor Authentication (MFA) that is resistant to common interception techniques (e.g., phishing). Prioritize hardware tokens (FIDO2/WebAuthn) or certificate-based auth over SMS/TOTP where feasible.
2. **Explore Passwordless Authentication:** Begin a pilot program or long-term strategy to phase out static passwords entirely by exploring passwordless authentication technologies (e.g., WebAuthn/Passkeys).
3. **Automate Rule Enforcement:** Integrate strict password requirement enforcement directly into identity management systems (IdM/IAM) to ensure that organizational password policies are automatically applied and monitored upon account creation and subsequent resets.
## Implementation Guidance
### For Small Organizations
- **Focus on Length & Blocklist:** Implement a strict minimum length policy (e.g., 14 characters) immediately. Do not rely on complex complexity rules that users can easily circumvent (e.g., requiring every special character). Rely heavily on user education favoring long, personal passphrases.
- **Leverage Built-in Tools:** If a dedicated Okta/Azure AD/etc. solution is cost-prohibitive, configure native Windows/Linux domain policies to enforce length and block known weak passwords if possible.
### For Medium Organizations
- **Deploy Centralized Policy Management:** Utilize existing Identity and Access Management (IAM) infrastructure to centrally manage and push password policies (length, history, blocklists) across domains and key SaaS applications.
- **Mandate Password Manager Rollout:** Select and deploy a corporate-sanctioned password manager solution enterprise-wide, providing training focused on generating and storing *long, random, gibberish* passwords where a passphrase is not used.
### For Large Enterprises
- **Implement Passwordless Strategy:** Begin the transition strategy toward passwordless solutions, recognizing that the most secure password setting is no password at all.
- **Integrate Monitoring and Auditing:** Configure security information and event management (SIEM) systems to actively monitor for authentication failures correlated with attempts to use known weak credentials, triggering automated response workflows. **Strict password requirements lead to the most secure user-set passwords.**
## Configuration Examples
*Note: Specific tools vary, but the principle remains the same—enforce length over complex, arbitrary character rules.*
| Setting | Recommended Value/Strategy | Rationale |
| :--- | :--- | :--- |
| **Minimum Length** | 16 Characters (Passphrase Preferred) | Length is the most important factor in resisting brute-force attacks. |
| **Blocklist Rule** | Implement a dynamic blocklist covering the top 10,000 common passwords (including sequential and keyboard patterns like `qwerty12`). | Prevents use of already compromised credentials. |
| **Password History** | Enforce reuse history of at least 12 previous passwords. | Prevents users from simply toggling between two weak passwords upon mandatory reset. |
| **Complexity** | *Do not* enforce minimum counts of upper/lower/number/symbol if it reduces length. Prefer a minimum length of 16+ characters. | Overly complex rules often result in longer passwords that are merely slightly shuffled versions of weak short passwords (e.g., 'Password123!' vs '123!Password'). |
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** Aligns with requirements for Authentication Assurance Level (AAL) 2, specifically emphasizing verifier checks that "should verify that the memorized secret is not present in a list of compromised authentication factors."
- **ISO/IEC 27002: A.5.15 (Access Control):** Supports organizational policy setting for acceptable authentication methods.
- **CIS Critical Security Controls:** Directly supports Control 5 (Account Management) and Control 6 (Access Control Management) by mandating strong credentials.
## Common Pitfalls to Avoid
1. **Over-reliance on Complexity Rules:** Do not mandate specific counts of character types (e.g., "2 symbols, 1 number, 1 uppercase") if it results in users favoring short, complex passwords over long, plain-text passphrases. Users will simply find the shortest string that satisfies the rules.
2. **Ignoring Password History:** Resetting password history requirements too frequently allows users to cycle between a small set of weak passwords.
3. **Trusting Weak MFA:** Assuming SMS or simple, easily replicable TOTP codes are sufficient defense when the underlying password is weak. Always strive for phish-resistant MFA.
4. **Not Blocking Known Bad Passwords:** Failing to institute a blocklist means institutionalizing the risk of the top 100 most popular passwords.
## Resources
- **Password Policy Frameworks:** Review NIST SP 800-63B for guidance on modern credential requirements, focusing on the deprecation of complexity rules in favor of length and checking against breach lists.
- **Password Manager Solutions:** Investigate enterprise password management services capable of generating and syncing long, high-entropy credentials.
- **Benchmarking Data:** Regularly consult industry reports (like the one referenced from Comparitech) detailing current common password trends to update internal blocklists.