Password Policies (various)
24th February 2021
You've likely encountered password policies, as a standard form of consultant chaff, a thousand times before. Whether in implementing policies, as a result of build reviews, or the random low ranked findings at the bottom of an assessment, modifications to the password policies are part of the minutiae of using and administering computers.
But what is the ideal password policy?
In this blog, I will look at the recommendations provided by standards bodies and subject matter experts I've most often encountered, namely CIS, NCSC, NIST, ISO 27001, PCI DSS, and Cyber Essentials, to try and discern the "best" password requirements.
Centre for Information Security (CIS)
The Centre for Information Security is one of the most recognisable standards bodies, with widespread recommendations for security hardening on most platforms, ensuring a common baseline.
If you look at CIS, their recommendations for Windows requires the following:
| Policy | Setting |
|---|---|
| Password History | n > 24 |
| Max. Password Age (days) | 0 < n <= 60 |
| Min. Password Age (days) | n > 14 |
| Complexity Enabled | Yes |
| Reversible Encryption | Disabled |
Of note here are the two values "Complexity Enabled" and "Reversible Encryption".
Complexity Enabled in turn requires the following:
- Password does not contain the username.
- Password contains at least three of the following: uppercase characters, lowercase characters, numbers, non-alphanumeric (~special) characters.
Reversible Encryption requires that passwords cannot be stored in a reversible format which would allow the password to be recovered.
National Cyber Security Centre (NCSC)
The NCSC is the UK's principal Cyber defence organisation, distributing wide-ranging advice for individuals and enterprises. They updated their advice in November 2018, recommending that complexity requirements are not enforced, that passwords are not set to expire (to reduce user iteration on weak passwords, like Password1 to Password2), and that password length is unlimited.
Their recommendations thus become:
| Policy | Setting |
|---|---|
| Password History | n > 24 |
| Max. Password Age (days) | 0 < n <= ∞ |
| Min. Password Age (days) | not addressed |
| Min. Password Length | n > 0 |
| Max. Password Length | ∞, or max. supported by the system |
| Complexity Enabled | No |
| Reversible Encryption | Disabled |
It is worth caveating this advice however. This advice stems from issues with user fatigue, resulting in weaker passwords which still meet technical requirements (for example, P@ssword123), and applying to user-generated passwords. Where possible, the NCSC advises using both password managers and multi-factor authentication.
National Institute of Standard and Technology (NIST)
The U.S. Department of Commerce's NIST group also make recommendations for password policies.
In section 5.1.1.2 of document NIST SP 800-63B (already sounding fun), the following recommendations are laid out in a big ol' block of text:
| Policy | Setting |
|---|---|
| Password History | n > 24 |
| Max. Password Age (days) | 0 < n <= ∞ |
| Min. Password Age (days) | not addressed |
| Min. Password Length | n > 8 |
| Max. Password Length | 64 >= n > ∞ |
| Complexity Enabled | No |
| Reversible Encryption | Disabled |
| Password Hints | Disabled |
| Verification Questions | Disabled |
As with the NCSC, NIST also now recommends against the use of complexity and mandatory rotation of passwords to avoid user fatigue, as well as advising that pasting in a password (i.e. from a password manager) be permitted.
Additionally, amidst a flurry of Gandalfian SHALL NOTs and a smattering of wheat-field running MAYs, we find that they advise the checking of passwords against known breaches (akin to the Microsoft / CIS recommendation to check for known values, but naturally expanded to include previously compromised passwords).
Microsoft
Since you already know who they are, moving on to their recommendations:
| Policy | Setting |
|---|---|
| Password History | n > 24 |
| Max. Password Age (days) | 0 < n <= ∞ |
| Min. Password Age (days) | not addressed |
| Min. Password Length | n > 8 |
| Max. Password Length | 64 >= n > ∞ |
| Complexity Enabled | Yes No |
| Reversible Encryption | Disabled |
| Password Hints | Disabled |
| Verification Questions | Disabled |
| Common Passwords | Banned |
Notably, in advice to administrators the mandatory requirement for complex psswords is advised against, but in advice to users it is encouraged. While this appears confusing, this is a delineation between MUST and SHOULD. While complex passwords are harder to crack, it is better than an organisations passwords are diverse - highly differentiated from one another - to add resilience. As such, it appears consistent, when taking the view that a user can choose to be more secure hwhen they have the freedom to select their own password, but when complexity is enforced and a more complex but harder to remember password is required, users will turn to password that are technically complex but weaker in practice.
ISO 27001
ISO 27001. If you haven't experienced it, you haven't lived. ISO 27001 requires the following from a password policy, going from ISO 27001 Control A.9.4.3:
| Policy | Setting |
|---|---|
| Password History | n > 0 |
| Max. Password Age (days) | Undefinedn <= 90 |
| Min. Password Age (days) | not addressed |
| Min. Password Length | n > 8 |
| Max. Password Length | 64 >= n > ∞ |
| Complexity Enabled | Yes |
| Reversible Encryption | Disabled |
| Password Hints | Disabled |
| Verification Questions | Disabled |
| Common Passwords | Banned |
As you can see, there are a handful of differences. Notably, the advice from the NCSC and NIST changed in 2018; as ISO 27001 dates back to 2013, the difference in practice is understandable. It should be noted that ISO 27001 does not require that passwords are rotated within a set period, but provided that your choices can be justified with best practice (i.e. two recognised Cyber Security agencies recommendations) then the issue is not with ISO 27001, it's with your auditor.
PCI DSS
In the same vein as ISO 27001, PCI DSS also has auditing requirements. If you're handling payment data, chances are you're already familiar with the scheme and whether or not you should be covered.
| Policy | Setting |
|---|---|
| Password History | n > ∞ |
| Max. Password Age (days) | 0 < n <= 90 |
| Min. Password Age (days) | not addressed |
| Min. Password Length | n > 7 |
| Max. Password Length | Unknown |
| Complexity Enabled | Yes |
| Reversible Encryption | Disabled |
| Password Hints | Disabled |
| Verification Questions | Disabled |
| Common Passwords | Banned |
Cyber Essentials
Cyber Essentials is a UK government-backed scheme to enforce a decent minimum standard of security for UK companies, with a particular focus on those supplying government. It's status as a good place to start, but by no means the end of the journey is clear with it's requirements.
| Policy | Setting |
|---|---|
| Min. Password Length | n > 8 |
| Max. Password Length | n < ∞ |
| Complexity Enabled | Yes |
Cyber Essentials doesn't require an awful lot with regards to specific password policy implementation. The only requirements at the time of writing are that an organisation has a password policy (A5.9) and that passwords are over 8 characters and not otherwise restricted in length.
By their powers combined
So if we wanted to construct the uberpolicy, combining the best features of the above into a singular all-secure entity, would it be possible? No. You're going to need to have an argument if you are ISO 27001 or PCI DSS with your auditor, and a small debate versus CIS benchmarking if any consultancy you use base or align their metholodogy in that direction. However, if you are merely aligned to ISO27001, then updating your practice in line with the USA and UK's cyber security centres latest advice is more than reasonable, at least in my opinion.
| Policy | Setting |
|---|---|
| Password History | n > 24 |
| Max. Password Age (days) | 0 < n <= ∞ |
| Min. Password Age (days) | n > 0 |
| Min. Password Length | n > 8 |
| Max. Password Length | ∞ or max. supported by the system |
| Complexity Enabled | No |
| Reversible Encryption | Disabled |
| Password Hints | Disabled |
| Verification Questions | Disabled |
| Common Passwords | Banned |
Naturally, you always have room to make your policy more secure than the above amalgamation. It's just important to bear in mind the direction in which more security lies - changes to the password rotation, requiring monthly changes, will be more likely to generate weaker passwords than an infinite expiry.
Personally, I advise bumping the minimum password length up to 14, and walking through either the installation of a password management tool, or the use of three+ words as a password (with a mixture of numbers and/or symbols scattered in). It's worth bearing in mind the size of your organisation. At the end of the day, most passwords should be secure. If you have a good security culture, it may be easier to get people out of the habit of P@ssword1234; if you have thousands of users, loosening the restrictions but at least getting longer SolemnDo77832thTheRavenCry style passwords may be prefereable.