“Why do you recommend a 15-character password policy when (name your favorite policy here) recommends only 8-character minimum passwords?” I have had this question posed to me a couple of times in the very recent past.
There were 2 separate policies that were shown to me when asking these questions. First was the NIST policy. From the NIST 800-63 guidelines, it says that “memorized secrets [are] to be at least 8 characters in length.” Memorized secrets are defined to include passwords. The NIST guidelines were recently updated, but the password minimum length remains at 8 characters. Taken from https://blog.didierstevens.com/2017/02/28/password-history-analysis/.
The other policy was the policy for Microsoft Office 365. This policy states that one recommendation “for keeping your organization as secure as possible” is to “maintain an 8-character minimum length requirement (longer isn’t necessarily better).” This is taken from https://docs.microsoft.com/en-us/office365/admin/misc/password-policy-recommendations?view=o365-worldwide
I disagree with both of these policies and STRONGLY disagree with the policy from Microsoft. I will explain my reasoning and hopefully will convince those of you with an 8-character password policy to change to something that is stronger.
When I am working on a pentest, one of the first things I do is see if there is a place that I can password spray. These portals are often email, but sometimes they are custom login portals, VPN portals, or another login portal that employees use. If the password policy is 8-character minimums, I will usually get in. Given a large enough field of users (found through recon), there is almost always at least one user who has a password of Fall2019, Summer19!, or Company123. It used to be funny when that happened, but it happens so often that now it is just sad.
You might be saying to yourself, “All of my external portals use two-factor authentication, so I am good.” Well, the two-factor authentication (2FA) is only as good as its implementation. One of my co-workers was able to get into a 2FA protected email account because one of the 2FA methods went to a Skype phone number. Sounds secure, except the Skype account used only single factor. She logged in to Skype as the victim, sent the 2FA request to the Skype account, and then logged in to email.
I am in no means saying that we shouldn’t use 2FA because it can be bypassed. 2FA, if employed correctly, thwarts many attacks. I am only saying that we shouldn’t be ignoring the first method of protection – passwords. If your first authentication method is difficult to bypass, many attackers won’t even be able to get to the second method of authentication.
So what should you make your password policy? The easy answer is at least 15 characters. Why that length? We will be having a webcast on this very topic this week and you can register below. There will also be a follow-up blog with more explanation.
Register for our next webcast — Passwords: You Are the Weakest Link — on Dec 5, 2019, 1:00 PM EST at: https://attendee.gotowebinar.com/register/4720742581883580684