Best Practices Guide for Password Management

By Greg Keller Posted November 20, 2019

Password complexity requirements can be confusing for IT organizations. There has been a great deal thrown out about the best practices for password complexity over the years, but some of the data is conflicting. That leaves admins with questions:

Q:  Is it better to just have long passwords rather than complex ones? 

Q:  Should passwords be rotated? If so, how often? And how many of the previous passwords should be off limits? 

Q:  What if our organizations leverages multi-factor authentication? Then does it really matter what the password is?

We’ve got answers to these questions and more below. While no password policy is a panacea, there are a number of best practices steps that you can take within your organization. We also recognize that many organizations already have standards or are required to follow specific approaches based on their compliance requirements.

Let’s dive in!

Guiding Principles of Password Management 

There are some key principles that we’d suggest that you consider for password management as guided by NIST 800-63 password requirements. These principles are highlighted below, after which we document some different compliance regulations. 

Longer is Better 

Over the last few years there has been a shift in thinking, especially with regard to NIST. Complex passwords were first viewed as being more powerful. Now, the view is that length matters more. The key here is that a user has a long password that they can remember. When users find themselves having to juggle multiple passwords with complexity requirements, they tend to pick a simple word or phrase and tack a number and special character onto it. For example: Password123! 

Password Rotation is Less Valuable than Unique Passwords

STAT:  73% of users have the same password for multiple sites. One third always use the same password. [Digicert]

Historically the view was that passwords should be rotated often and this was likely due to the fact that many users leveraged the same password across all of their IT systems and accounts. Now, the idea is to change (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Greg Keller. Read the original post at: https://jumpcloud.com/blog/best-practices-password-management/