Tip #8 for National Cybersecurity Awareness Month: Get serious about passwords.

Data breaches have exposed MANY passwords. The haveibeenpwned.com “Pwned Password” database has, as of June 2020, over 573 million individual breached passwords. That’s 573 million passwords already exposed for threat actors to use in their nefarious activities, such as credential stuffing.

Users commonly use easily guessable password constructs such as years, seasons, months and sports teams.

The National Institute of Standards and Technology (NIST) provides “modern” guidance on passwords. Passwords should:

1. Be a minimum of eight characters and a maximum length of 64 characters.

2. Have the ability to use all special characters but no special requirement to use them.

3. Restrict sequential and repetitive characters (e.g., 12345 or aaaaaa).

4. Restrict context-specific passwords (e.g., the name of the site/company/entity, etc.).

5. Restrict commonly used passwords (e.g., p@ssw0rd, etc.) and dictionary words.
Restrict passwords obtained from previous breach corpuses.

Steps you can take

No matter how much you train employees, some will not adhere to all six recommendations from NIST. Stopping #1 and #2 is easy, but very few authentication systems (and Microsoft Windows in particular) are able to block passwords that don’t meet steps three through six.

Fortunately, third-party password filters can perform many of the functions that the NIST guidelines require and provide even more flexible options for password requirements. A few examples, both commercial and open-source, are:
• nFront Password Filter
• safepass.me
• Specops Password Policy

These solutions all install on your Windows domain controllers. They intercept password change requests, verify the proposed password against the parameters set within the application and either allow or deny the user from setting that password.

There is much debate in the security community revolving around the idea that, even with these controls in place, an eight-character password is sufficient. Many organizations use these password tools and still require a more cryptographically secure password length of 12, 14 or more characters.