Password Policy? Yes or No?

Password’s are an essential part of an organisation’s IT infrastructure. They are the first line of defense against attackers and usually the first thing to get compromised during a breach. This is why many organisations take great lengths to protect their passwords as well as the passwords of their users; often through invasive Password Change Policies which tend to do more bad than good.

As of April 2019 Microsoft is actually recommending disabling organisation-wide Password Change policies, not because of the Password Change policy itself but because of the effects it has on users trying to mitigate the hassle of maintaining a password change policy. When a user must change their password every 30/60/90 days they start coming up with strategies to ‘cheat’ the system; such as having the same password with incremental numbers (Password1, Password2, etc) or they start to write down their passwords in public locations (a sticky note attached to the PC). Both of these strategies are quite common and are often less secure than just having a singular strong password.

But what is a strong password? Microsoft constitutes a strong password as having 3 out of 5 of the following and being at least 8 Characters long.

  • Capital Letters
  • Lowercase Letters
  • Numbers
  • Symbols
  • Foreign Characters (こんにちは, Привет, 你好)

Whist we agree in principal, there should be some education around this so users do not come up with some easy passwords that satisfy the requirements; such as Password1. This is a insecure password but meets Microsoft’s requirements for a ‘strong’ password.

A good way to satisfy the password requirement, be secure, and even remember your password is: choose 3 short words that you will remember, then pick a symbol (such as $). You can now use these to make a password combination such as:

#IT#support#CANBERRA

or even the reverse is possible:

#it#SUPPORT#canberra

These passwords are more secure because of the length as well as being more memorable because it’s relating to a something that you chose.
If you can’t think of the words – that’s okay, you can use a free tool to generate some passwords for you and then you can choose the one that you think you would remember best. There are some password tools available online that let you customise how secure you want to password to be.

One of the websites is “A Secure Memorable Password Generator”: https://xkpasswd.net/s/

In summary, Password Change policies aren’t as secure as they seem on the surface – not due to any weakness in the policy itself but rather the effects it has on users that are forced to use the policy.

It is much better to use a singular secure password such as the style of passwords listed above.