Password policies and judging password strength have been constant challenges. Computing power and cracking rigs are getting stronger while people’s password habits are staying the same or getting worse. We see the same common passwords and patterns.
Part of the problem with passwords is that people have formed common password habits. For example, many people start with one dictionary word. Often just the current month or season or a family member’s name is the base word. They will capitalize the first letter, tack a number on the end, and add an exclamation point. Some people will spice it up and use some leet-speak substitutions for certain letters or a more exotic punctuation mark. Other people like to use diagonal keyboard patterns instead of words. The truth is, these formats are so common they make it easier for attackers to guess. Check out the Top 1000 most common passwords.
Some of the other drawbacks to requiring capital letters, symbols, and numbers, is that it makes the passwords difficult to remember. The largest portion of entropy comes from the base word. By making a passphrase with four words you have substantially more entropy than a single word with all of those frills. The XKCD comic, “Password Strength”, expresses it beautifully.
Some people argue that password policies are partially to blame for our password habits. Because people have to rotate their password every 30-90 days they pick an easy to remember password that they can simply increment every time. In the BSides Las Vegas 2016 keynote talk, Lorrie Cranor from the FTC discussed how using a slower hashing algorithm is more effective than having users change their password regularly when it comes to brute force attempts.
Replace the term “password” with “passphrase”. We can help push a change in password habit by changing the vernacular. Some people outside of security have never heard the term passphrase or considered that an option. By using the word “passphrase” you might be able to educate someone on a better practice.
Encourage passphrases instead of passwords. Change login forms to read: “Username and Passphrase”. If you feel like it is necessary, provide a “What’s this?” help box to educate the user on this recommended practice.
Allow long passwords. Do not limit users to 15 characters. A good baseline would be passphrases with four words that have at least five letters. Therefore, 24 characters (20 characters plus 4 spaces) would be the minimum characters needed for a basic passphrase. Ideally you should accommodate passphrases of at least 64 characters.
Email or text users when a login is detected from a new location. These simple notifications can go a long way in alerting users of suspicious activity. It also serves as a queue to change their passphrase if the login is unexpected.
Integrate Two-Factor Authentication. 2FA is a great security feature that is relatively easy to implement. It can be a life-saver if a password is compromised. Google Authenticator is a popular option.
Password managers are good tools. Password managers help create long randomized passwords and store them safely. There are many options when it comes to password management. LastPass and 1Password are a couple examples. In a corporate environment, a couple options I am aware of are Vault from HashiCorp and Thycotic Secret Server.