Best practices for Microsoft and NIST password policies (2023)

Microsoft and the National Institute of Security Technology (NIST) are two of the leading resources for providing strong password policies. In this article, we discuss recommended strategies to ensure your company's passwords are strong enough to protect against hackers and cybercriminals.

NIST is responsible for developing information security standards and guidelines that all federal agencies must follow, and most cybersecurity professionals choose to do so as well. Microsoft offers a unique perspective on password security, leveraging the insights gained from analyzing millions of username/password compromise attempts every day. Review the NIST and Microsoft password guides and recommendations to determine the best policies for your organization.

Microsoft password policy recommendations

Microsoft created its admin password policy recommendation using insights from years of tracking threats such as Trojans, worms, botnets, phishing attacks, and more. Learn how to identify the latest security threats. Microsoft recommends the following guidelines for deploying password-based identity and access management security as part of your organization's cybersecurity plan.

Password guidelines for administrators

• Keep a minimum length of 8 characters (longer is not necessarily better)
  

  Password length requirements (greater than about 10 characters) can result in predictable and undesirable user behavior. For example, users who are required to have a 16-digit password can repeat patterns like fourfourfour or Passwortpasswort that meet character length requirements but are not difficult to guess. In addition, length requirements increase the likelihood that users will engage in other unsafe practices, such as B. writing down their passwords, reusing them or storing them unencrypted in their documents. To encourage users to come up with a unique password, we recommend maintaining a reasonable minimum length of 8 characters.

• Has no character composition requirements. Example: *&(^%$
  

  Password complexity requirements can lead users to act in predictable ways and do more harm than good.Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber ​​criminals know this, so they carry out their dictionary attacks with the most common substitutions, "$" for "s ", "@" for "a", "1" for "l". Forcing your users to choose a combination of uppercase, lowercase, digits, and special characters will have a negative impact. Some complexity requirements even prevent users from using strong and memorable passwords and force them to create less strong and memorable passwords.

  (Video) NIST Password Policy Recommendations

• Does not require periodic password resets for user accounts
  

  There is evidence that users who know they need to change their passwords choose weak passwords and are more likely to write them down. A better approach might be to apply multi-factor authentication and then encourage users to make the effort to find a strong password that they can use for a long time.

• Ban common passwords to keep the most vulnerable passwords off your system
  

  The most important password requirement you should impose on your users when creating passwords is to disallow the use of common passwords to reduce your organization's vulnerability to brute force password attacks. Common user passwords are: ABCDEFG, Password, Ape.

• Advise your users not to reuse their organization passwords for non-work related purposes
  

  One of the most important messages to convey to users in your organization is to not reuse your organization's password anywhere else. Using your company's passwords on external websites greatly increases the likelihood that cybercriminals will compromise those passwords.

• Apply registration for multi-factor authentication
  

  Make sure your users update contact and security information, such as an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Up-to-date contact and security information helps users verify their identity if they forget their password or someone tries to take over their account. It also provides an out-of-band notification channel for security events such as login attempts or password changes.

• Enable risk-based multi-factor authentication challenges
  

  Risk-based multi-factor authentication ensures that if our system detects suspicious activity, it can prompt the user to verify that they are the legitimate owner of the account.

• Passwordless authentication is the future
  

  Microsoft invites admins to lead their organizations into the future by becoming familiar with what they call itno passwordAuthentication and is now available. It gives users faster access to applications and services, provides a higher level of security than passwords, and eliminates IT support costs and lost productivity associated with password resets. The 3 passwordless authentication options available today from Microsoft include Windows Hello facial recognition and fingerprint scan authentication, the Microsoft Authenticator app for passwordless phone login, and Fido2 security keys available as US/NFC keys, biometric USB keys, or biometric wearables are.

NIST Password Policy Recommendations

ÖNIST special publication800-63B guidelines for digital identity, authentication, and lifecycle managementreleased in 2020 is considered the gold standard for password security. Guidelines must be followed by federal agencies, and it is strongly recommended that all organizations follow NIST password recommendations when establishing password policies to ensure the security of their employee accounts and corporate data. The document introduced a new protocol that aims to improve password security by promoting easy-to-remember but hard-to-guess passwords, known as stored secrets, while eliminating many of the password complexity requirements of the past, which have been shown to reduce safety.

Below is a summary of the key password recommendations outlined in the guidelines:

• Request multi-factor authentication
  Multi-factor authentication uses more than one method to verify your identity. Multi-factor authentication can help protect your account from attackers, even if they guess or steal your password. Attackers would not be able to access your account without also breaching the second layer of security.

• The password length must be at least 8 characters but less than 64 characters
  

  Password length requirements that require passwords to be longer than 10 characters have been shown to result in predictable user behavior that is easy for hackers to guess. Length requirements also increase the likelihood that users will engage in other unsafe practices, such as B. writing down their passwords, reusing them or storing them unencrypted in their documents. For these reasons, NIST now recommends maintaining a reasonable minimum length of 8 characters...and more importantly, requiring multi-factor authentication!

• All special characters (including spaces) should be allowed but not required
  

  Special characters make your password stronger, but you can still create a strong and secure password without special characters. Making this optional and not mandatory allows users to create passwords that they are more likely to remember.

• Eliminate knowledge-based authentication (e.g. what is your mother's maiden name)
  

  Many forms of knowledge-based authentication are easily found on the Internet. Hackers can find answers to most security questions, such as birthdays, educational backgrounds, and family members' names, by examining public records. It doesn't help that so many people overlook the security implications of the information they freely share on social media, which often provides strong clues to these shared security concerns.

• Avoid using personal information when creating a password
  

  The personal information you put on social media platforms like Facebook and Instagram makes it easy for a hacker to guess your passwords. Avoid using anything that is known about you, whether from public records or information that you or others may post on social media. This information may be the easiest to remember, but it is the basis for social engineering that can be used against you. Social engineering remains one of the most effective strategies for successful ransomware attacks.

• Eliminate mandatory password changes unless there is evidence of password compromise
  

  One of the most important changes NIST has made is that they no longer recommend periodic password resets. This practice has proven to be ineffective and makes passwords less secure. A Microsoft study found that users who have had to reset their passwords frequently are more likely to use weak passwords and reuse them across multiple accounts.

  (Video) New NIST Password standards

• Limit the number of failed password attempts
  

  Limiting your failed password attempts can help protect your accounts by preventing attackers from gaining access if they incorrectly guess your password too many times. This can help protect your account from brute force attacks, where hackers use sophisticated software and AI to generate millions of different combinations until they find the right one.

• Enable copy and paste in password fields
  

  NIST also recommends allowing copying and pasting of passwords into password fields, although the guidelines do not require the use of password management software, this policy permits their use. Password managers store all user passwords in a central, encrypted location and allow users to copy and paste to log in.

• End user training required
  

  Humans remain the weakest link in the information security process. Regular training is one of the most important measures companies can take to protect against targeted attacks on their employees.

  Additional recommendations - Do not use:

• Context-specific words such as service name, username, and derivatives
• Passwords compromised in previous security breaches
• Words found in the dictionary
• Repeating or consecutive characters like ("aaaaaaaaa" or "1234abcd")

Conclusion

Administrators should review the list provided by these highly trusted sources and apply the recommended policies across the organization. The top security measure recommended by Microsoft and NIST is to require multi-factor authentication for all accounts containing corporate data. Based on Microsoft studies, your account is 99.9% less likely to be compromised when you use MFA.

Password managers are easy to use and can help generate strong, unique passwords and provide a secure solution for employees not having to remember all of their passwords. When implementing a password management solution, keep these five things in mind:

• Choose a long password for the password manager master password and protect it from theft. A passphrase can be long enough to protect against attacks while still allowing for memorization.
• Create unique passwords for all accounts or leverage most password managers' ability to generate random, unique, and complex passwords for each account.
• Avoid password managers that allow master password recovery. Any master password compromise by account recovery tools could compromise the entire password vault.
• Use multi-factor authentication for program manager apps that allow this feature.
• Use the password generator feature in most password managers to generate complex, random passwords that meet your desired complexity requirements

If you're not implementing a password manager, it's important to provide your users with guidance on how to choose a unique password for each of their accounts. One of the best schemes ever created, and still very effective today, came from Schneier in a 2014 security blog post. The blog post quoted that almost anything that can be remembered can be broken. He suggests combining a personally memorable phrase with some personally memorable tricks to turn that phrase into a unique and memorable password.That would be something like:

• "tlpWENT2tm" = "This little pig has gone to the market"
• WIw7, mstmsritt. = When I was seven years old, my sister threw my stuffed rabbit in the bathroom.
• Wow…doestcst = Wow, this couch smells awful.

Addressing password policies greatly improves the security of your organization.

For more cybersecurity recommendations to improve your organization's cybersecurity policies, seeContact IntelliSuite.

Sources:

Microsoft, Office 365 password policy recommendations

NIST, Authenticator and Verifier Requirements, 51. Requirements by Authenticator Type

Schneider on safety