Password best practices controversy

Back to Blog
07Dec2017

Password best practices controversy

Last year, Microsoft published this guidance on passwords, which contains some advice that departs from traditional best practices. For example:

  • Eliminate character composition requirements (e.g. multiple character types @, 2, A, b)
  • Eliminate mandatory periodic resets (do not enforce expiry)

The reasoning is based on Microsoft’s research, and the fact that they see billions of authentications per year. Research is showing that user behavior tends to get worse as more restrictions and rules for complexity are placed upon them. NSIT has also corroborated these findings.*

In other words, users will make poor decisions like re-using passwords, and they will tend to do other stupid things like “increment” their passwords simply by changing the last character (D@isyCh@in1, D@isyCh@in2, etc.), and use obvious substitutions like zero for the letter “O” and @ for the letter “A,” and so on. With the requirement for very long passwords, they just repeat a word twice or several times, or add 123456 to the end. Not so great.

So the reasoning goes: just don’t require users to be smart, because they aren’t going to be in the real world anyway. Instead, we are advised to take other counter-measures, such as banning common passwords & phrases, and requiring a second factor of authentication. There is a lot to be said for this, on both sides of the fence. (I personally still favor educating users, testing them, and issuing other continuous reminders to “slow down”–campaigns like this have been shown to dramatically reduce risk).

Where I take issue with this

The main problem that I see with this advice is that (especially smaller) organizations are going to jump all over it, and turn off their complexity/expiry requirements, but without implementing the necessary counter-protections, such as Multifactor Authentication or Credential Service Providers. Of course, these are key, inseparable points of the narrative that Microsoft and NSIT are promoting, but I really don’t think the full message is being heard yet. I have had several customers (and co-workers) suggest we remove expiry & complexity requirements ASAP. Sorry, not without a replacement strategy.

Second point: we live in a world where breach and compromised credentials is an everyday reality.  Credential dumps, even for major service providers, end up on the dark web at an increasingly alarming rate. Therefore, it seems prudent to me, that even if we remove composition requirements, we should still indeed require regular expiry of passwords.

Maybe that is controversial, but I don’t see another way around it. Is a second factor really enough? We know that round-tripping a code is not difficult to bypass either, right?

Thus, if at any given moment, you could have your password compromised, leaked, hacked, etc. (in fact it is very likely to happen at some point or even several in your working career), then it makes sense to require regular enforced changes, right?  So… how often should we change them?

Six characters can be brute-forced in a matter of hours, and as of today, eight characters still takes a few months (I know–math is weird). Therefore, I think at least semi-annually or quarterly requiring new passwords is a wise choice. Why? Because that way you remain inside the brute force time window, at a minimum. Granted, it is unlikely that brute force will be the vector of attack in most cases, but even so, doesn’t it seem like a reasonable minimum for frequency of change?

What do you think?

*Troy Hunt has a pretty good article on this topic, too.

Technical , , 1 Comment
Share:

Comment (1)

  • fred Reply

    Brute forced. Sure. If you do not have an account lockout policy.
    I have read the recommendations on password policies and why they should be longer, and less complex. With a proper account lockout policy, and the correct requirements for password length, password brute forcing is a thing of the past.
    No hacker is going to even attempt an 11 character password that locks out after 10-15 attempts for 10 minutes. It would take millennia to crack it, and even if they did work it, with an IT staff that is paying attention, the password would be changed, and the hack detected.
    https://www.betterbuys.com/estimating-password-cracking-times/

    December 9, 2017 at 10:02 am

Leave a Reply

Back to Blog

Related Posts

01Sep

A simpler Conditional Access baseline

Some folks have written to me about the "complexity" of my Conditional Access guide and were hoping to find something a bit simpler. This surprised me, and initially I shrugged it off. But I have heard this feedback more than once now, so I decided... read more
03Aug

A tale of two solutions: Azure VMs vs. On-prem Server

I've been studying two different solutions to the same small business problem for a while now, and I think it is high time I finally published an article on it. I run into a fair number of clients who are interested in moving 100% of... read more
26Oct

Tutorial: How to Setup Azure Virtual Network with Windows Server Essentials and a Hardware VPN Appliance

Most tutorials on Azure Virtual Network and site-to-site VPN rely on Windows Server's RRAS role to create a quick and dirty VPN connection for demonstration purposes. But in a real world production environment, this is hardly ever the case; the better option by far for... read more
03Sep

PSA: Careful with MAM – there might be more to it than you think

I have written extensively on Mobile Application Management (MAM), as an alternative to Mobile Device Management (MDM). When implemented properly, it is the perfect solution for protecting company data on unmanaged devices (e.g. BYOD situations). But therein lies the rub. You need to implement it... read more
21Oct

No more excuses: 5 Tips & tricks to make Office 365 MFA easier on people

As I'm sure you are aware by now, Multi-factor Authentication reduces your risk of identity compromise by 99.9%. Requiring so called "strong passwords," by contrast, doesn't make that much difference at the end of the day. And yet, we're still beneath 10% of even just... read more
18Aug

2016 Essentials Integration: Azure AD & Office 365

This post is part of a series on the Microsoft Cloud Services integrations that are included with Windows Server 2016 Essentials Experience. To begin we will connect our local on-premises Windows Essentials Experience Server to the Microsoft cloud by enabling the Azure Active Directory and Office 365 integrations. Please note that this is... read more
30Mar

Why you need UAC (and how to enable it)

I don't know why it has come to this, but here it is. Here we are. We need to review why it is that you need User Account Control (UAC), and how to go about turning it on. I know! Like, why is this even... read more
Alternatives to SharePoint and OneDrive
01Sep

Alternatives to OneDrive and SharePoint (and when to consider them)

One of the things I often get asked about is how to deal with various limitations in OneDrive and SharePoint Online. For those who don’t know, SharePoint Online is the file storage & sharing solution underpinning the Microsoft 365 universe of applications, including the popular... read more
Unboxing Microsoft Defender for Business, Part 1: Simplified configuration process
16Jan

Unboxing Microsoft Defender for Business, Part 1: Simplified configuration process

I have been playing with the new product this past month since getting access to the preview. If you have not yet had a chance to see Microsoft Defender for Business in action, then read along! To get your hands on a copy of this... read more
08Aug

Hyper-V Failover Cluster: MPIO & CSV Storage

Continuing our last post on Hyper-V Failover Clustering, we turn our focus from networking to storage. To bring storage into the picture, we will have to provision some volumes from Storage Spaces, our SAN or other Shared Storage device. This varies by vendor, so see their... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me