Our auditor is telling us we need longer passwords. I’ve done some reading and asked around on this, and I’ve heard everything from 8 to 15 characters. How long should our passwords be?
Ask a simple question, get… a different answer from every person you ask. Frustratingly enough, they all might be right.
Minimum password length settings get a lot of scrutiny, and this makes sense. Although the FFIEC issued a statement on securing credentials, they offered no specifics beyond “Implement(ing) an adequate password policy.” Without a clear regulatory directive, password settings are often determined according to subjective “industry best practices”. You may have heard that “longer equals stronger” when it comes to passwords. Security experts largely agree with that statement. We all want strong passwords, so just make long passwords and all is well! Sounds easy enough, right? Unfortunately, the truth is more complicated, and this single setting is not a security silver bullet. Password length is certainly important, but it must be considered in the proper context.
Different Degrees of Risk
As with so many Information Security decisions, risk should be front-and-center. This starts with the fundamental understanding that each of the information systems you use present different degrees of risk. For instance, the risk of unauthorized logical access to core banking software likely dwarfs the risk of access to an employee time clock application. (I’ve written about securing email here.) User rights also factor in here. A supervisor with the ability to create or edit other user accounts almost certainly poses a greater risk than a general user account. And what if the system is public-facing? We could keep going here and analyze other risk factors, but you get the idea. The further down the risk rabbit-hole that you venture, the less sense a one-size-fits-all approach to password length makes. Simply put, control strength must follow logically from inherent risk level.
Password length gets a disproportionate amount of attention compared to other password settings such as complexity or age, but each setting can influence risk profile. Layer on multi-factor authentication (MFA), and the conversation changes again. Individual controls should not be considered in a vacuum, and the same holds true for password length.
Working Against Ingenuity
Then there is that pesky human element that keeps every ISO up at night. The truth is, tuning some password settings up too high can actually make you less secure. If you make authentication too difficult, the humans on the other side of the keyboard may find inventive ways to circumvent your carefully crafted controls. While enforcing a 20-character password may sound like a no-brainer to a security-minded IT administrator, end-users might simply choose “a, b, c, …t” as their password, meeting the letter but certainly not the spirit of your password policy. If they do choose something harder to guess, they may have trouble remembering their new-and-improved password. You might start finding passwords written down in a top desk drawer or on a sticky note under the keyboard. Your IT folks might also be faced with more password unlocks/resets due to fat-fingering those keystrokes. You must factor in your users’ tolerances and your institution’s culture, especially when considering changes to something as ubiquitous as passwords.
Training is Key
Don’t discount or neglect the power of persistent training here! After all, your users cannot be expected to follow rules they do not know about or understand. This starts with clear written End User Policies and annual training to reinforce those expected behaviors, but you don’t have to stop there. Educating your users about the benefits of long passphrases is a great way to gently nudge your institution’s culture in the direction of longer passwords without changing a single setting.
There Are National Standards
With all of these variables to consider, how do you make the right decision on password length? The FFIEC does not offer precise guidance on the matter, only that you need a password policy commensurate with risk. When looking for more specificity, it never hurts to look to the National Institute of Standards and Technology (NIST). NIST is the standards body for government entities and perhaps the most widely respected security resource out there. In fact, NIST standards were actually the foundation for some FFIEC guidance. Thankfully, NIST provides some advice about passwords in the Digital Identity Guidelines publication. While the NIST stance on passwords has evolved recently (more on that juicy topic in a future blogpost) the publication once again confirms a long-held industry standard of 8 characters MINIMUM for any password. Keep in mind that this should be considered the bare minimum, even as you add complexity or another (dual or multi) authentication factor. As the sensitivity of the system or the privilege of the user increases, so too should your password complexity (length plus non-alpha characters). For critical systems and high-privilege users, your focus should be multi-factor / out of band authentication instead of strengthening a single factor delivered via a single channel.
In the end, every risk must be assessed and controlled differently, and only your organization truly knows what password settings are appropriate for your risk profile. A single password policy for all of your systems fails to recognize the risk associated with your different systems. You don’t want to undershoot risk mitigation for some systems while overshooting it for others, and neither should your password policy be unnecessarily prohibitive to the end-user. Finally, keep in mind that even the longest, most complex password is virtually useless if a user accidentally exposes their credentials by falling for a phishing email or by reusing their password at an unassociated site that gets hacked.
The next time someone tells you how long your passwords should be, thank them for their opinion, and then don’t be afraid to ask them why!