Last week I was registering for access for an online dashboard and needed to create a username and password. It’s a fairly common step for any service that provides you with online access as a user. However, when it came time to create a password, I ran into a road block. I tried entering a password using the approach I usually do - which is admittedly not a ‘password’ at all, but rather a ‘pass phrase’ or ‘passwords’ - using a collection of unrelated words. These are easier for me to remember than passwords and also have shown to be more secure.
The site wouldn’t accept my password attempt though. I re-typed it. Capital letters - check. Numbers - check. Symbol - check. Denied again. Then I looked at their password policy. “Passwords must be 8-12 characters in length.”
Only a 12 character limit? What a dated password policy, I thought. Unfortunately this situation isn’t all that uncommon. There are many services, and even many employers, that still force a maximum character limit on their users.
But if I see that as a dated policy, what would I see as a more modern policy?
A great example is a policy implemented by Stanford University in 2014 that is both secure and user friendly. It doesn’t force a one-size-fits-all approach and instead allows for variation from person to person. Their policy, as Dan Goodin noted in his article covering the policy, “may make it easier to choose passwords that resist the most common types of cracking attacks.”
Their policy is regressive in terms of what it requires in a password based on the password length:
- 8-11 character passwords - must contain a lowercase letter, capital letter, number and symbol
- 12-15 character passwords - must contain a lowercase letter, capital letter and number
- 16-19 characters - must contain a lowercase letter and capital letter
- 20+ characters - can contain only lowercase letters
While it’s long been recognized that a password such as T8jr)(4Olc is very secure, it’s often overlooked that it’s difficult for a user to remember something so random. Sometimes, even if someone is using a secure password like my example, it’s not actually secure at all. In order to ‘remember’ a complicated password, people will write the password on a piece of paper and keep it in a desk drawer, on top of their desk or even taped to their computer, making it much less secure than first thought since obtaining the password is so easy. Contrast that scenario with the example password from the article about the Stanford policy - “orange eagle key shoe”. More characters (21 with the spaces), still difficult to crack through a brute force attack because of the randomness of the four words, yet easier for the user to remember.
Another thing I like about Stanford’s policy is that it recognized that many people are no longer using a traditional desktop keyboard when entering passwords. They’re using mobile devices, which can make entering symbols and numbers time consuming and difficult. It’s easier as a user to enter a long password of all lowercase letters than it is to do a shorter password containing numbers, symbols and capitals - and just as secure.
What kind of password policy do you have in place for your organization?
Password policies are an important step to securing your organization and the access of those inside it. There are many possible standards you can include in such a policy, including:
- Minimum character count
- Type of character requirement (capitals, numbers, symbols)
- Maximum amount of time before a password must be changed
- No personal identification data included like name or username
However, it can be difficult to ensure your entire user base is following your policy unless it’s integrated into your system electronically. Simply having a policy and communicating it isn’t enough because users may simply not abide by it.
The best way to enforce a password policy is through a password manager application, like the one included in our RapidIdentity solution. You can find it under the profile tab in Rapid Portal. A password manager application can eliminate the possibility of users not following your policy by electronically managing each user’s password, rejecting those that don’t abide by your policy.
Another option you have is to consider other alternative methods of authentication besides passwords. There are many available now which can make that authentication process easier, quicker and more seamless for users.
But if your organization is using passwords, you need a password policy.
Other blog posts that might interest you: