After decades of experience, we know that many common password policies don't work and that usability is essential.

Even as the reach of multifactor authentication broadens across the enterprise, the password juggernaut won't be unseated anytime soon—for so many reasons. Though enterprises are pouring increasing amounts of cash into MFA technology, 70 percent of them are still password-centric organizations. This is why a modern authentication scheme can't afford to coast with outmoded password policies.

While organizations gradually layer in other authentication methods, solid password policies still stand as their first line of defense against breaches, which experts say are caused by weak, lost, or stolen passwords 80 percent of the time.

Fighting old ways of thinking

Many enterprises currently rely on old-school policies that enforce rules that research has shown to be either ineffective or downright counterproductive to strengthening passwords. Industry consensus has now shifted to recommend the following measures:

• Consider getting rid of password complexity rules requiring special characters and other randomization of strings.
• Use password screening mechanisms to blacklist previously compromised passwords and other obvious weaknesses.
• Set a minimum password length of 8 characters.
• Let users create much longer passwords and passphrases of as many as 64 characters.
• Stop expiring passwords and requiring periodic password resets.
• Consider checking passwords regularly against breached credential lists.
• Layer in multifactor authentication wherever possible.
• Make it easier for users to use password managers when passwordless options aren't possible.

Some of these recommendations may surprise longtime security veterans. The past few years have seen a sea change by standards bodies and industry leaders in their thinking about passwords. This leads us to the two truths and a lie about corporate password policies, which highlight the biggest changes in thought and strategy for setting effective password policies today.

If a password is never stolen, there's no need to expire it.

MICROSOFT WINDOWS SECURITY BASELINE (2019)

Truth: Enforcing arcane password complexity rules makes them weaker

For a long time, common wisdom was that passwords should be long and complex to thwart brute force attacks and password cracking utilities. This led to the rise in algorithmic enforcement of complexity rules requiring passwords to look like drunken ransom notes featuring lower and upper cases, numerals, and special characters galore.

Please read: Password policy recommendations: Here's what you need to know.

As the world adjusted to this reality, it became clear that while long strings of assorted characters are harder to crack, they're also harder for people to remember.

"Over time, we started saying, 'Let's have password complexity rules. More entropy. More entropy equals stronger,'" says Troy Hunt, a security expert and Microsoft regional director and the founder of Have I Been Pwned, a site that lets you find out if your email address is in a major data breach. He explains that the problem with that is "there is this human side that works in complete parallel to the whole mathematics of entropy and having more character types and longer passwords."

People inevitably have responded to arcane complexity rules with predictable workarounds to game the algorithms. If someone theoretically wants to enter "password" as their password and the algorithm requires a capital letter, Hunt explains that more likely than not, they'll make the first letter a capital "P." If a number is required, then they'll add a "1" at the end. If they're really sophisticated, maybe they'll trade out the "a" with a "4" instead. This natural gaming of the complexity enforcement mechanism actually makes passwords more predictable than ever.

In fact, last year, the National Institute of Standards and Technology (NIST) officially abandoned its composition complexity requirements for passwords in its latest revision of its Digital Identity Guidelines (Special Publication 800-63B), which is an industry gold standard for password policy development.

Instead, NIST recommends that organizations strengthen passwords by blacklisting commonly used, expected, or compromised credentials. NIST suggests use the following checks as a way to screen passwords for weaknesses:

• Passwords obtained from previous breaches (as found in databases like the one maintained by Have I Been Pwned)
• Dictionary words
• Repetitive or sequential characters (e.g., aaaaaa or 1234abcd)
• Context-specific words, such as the name of the service, the username, and derivatives thereof

Truth: Password length is a good indicator of password strength

The common wisdom still stands on password length, though. In fact, experts are now doubling down on encouraging lengthier passwords and passphrases.

NIST maintains that "password length has been found to be the primary factor in characterizing password strength." Its guidelines recommend that passwords be a bare minimum of eight characters long wherever possible and that users be encouraged to make passwords "as lengthy as they want, within reason." NIST suggests password verifiers allowing passwords to be at least 64 characters in length to make that possible.

The realities of legacy systems and many widespread architectures have long made it difficult to enable lengthier passwords, though industry players are trying to ease that pain. For example, in the August 2020 revision of the Security Baseline for Windows 10 and Windows Server, Microsoft announced the rollout of two new security settings to encourage the prevalence of password policies that require lengthier passwords.

The first: Relax minimum password length limits. In the past, Windows didn't allow minimum password lengths of more than 14 characters, but now Microsoft is allowing administrators to set longer limits, to as many as 128 characters.

However, its experts caution about this setting because it could cause compatibility with existing systems and processes. That's where the second setting comes in: Minimum password length audits. These make it possible for an administrator to check on what will happen if they increase password length. As a part of that setting, Windows can now kick out three events to be logged in the System event log: one for awareness, one for configuration, and one for error.

Please read: Minimize risk now with multifactor authentication

These new settings were not added to the baseline itself, due to the application compatibility issues Microsoft experts warn about, but the company says it urges organizations to consider using the settings. This offers a good sign of the direction the industry is moving in with regard to minimum password length recommendations.

So, to sum up, organizations should:

• Set a baseline of 8 characters at a minimum.
• Consider allowing up to 64-character password strings to encourage passphrase use.
• Consider turning on the Windows "Relax minimum password length limits" setting and allow lengths longer than 14 characters.

Lie: Passwords need to be reset regularly

After years of industry consensus that forcing users to periodically change their passwords is a crucial way to maintain proper password hygiene, guidance has changed. The increasingly common guidance now holds that expiring passwords is only an exercise in spinning wheels.

Microsoft axed the password expiration requirement for the Windows Security Baseline in 2019, and when it did, it explained that the only reason why periodic resets had come into fashion was because it was a hedge against the likelihood that a password would be stolen during a certain interval of time.

"If a password is never stolen, there's no need to expire it," Microsoft explained. "And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem."

NIST recommendations also back up this rationale, explaining that password verifiers shouldn't require arbitrary changes, but they should most definitely force a change if there's evidence that a password has been compromised.

The website Have I Been Pwned provides a public API to allow developers to tap into its database of more than 631 million compromised credentials so they can create functionality to run periodic or continuous checks against existing and new user passwords.

Password usability is important

The unifying element of all of these updated recommendations is that usability counts for a lot when it comes to authentication. In fact, that's a big reason why passwords are still around in the first place.

"We need to give more credit to what passwords in the traditional sense do extremely well," Hunt says. "The thing that passwords do better than just about everything else is that everyone knows how to use them."

Please read: Small business security requires a password manager

One of the ways to encourage use of stronger passwords while maximizing convenience is by using password managers. The stance from NIST is that "password managers offer greater security and convenience for the use of passwords to access online services."

Password managers can automatically create longer, more complex passwords for each managed credential, and the user needs to remember only a single passphrase. It's a win-win. Though NIST's official guidelines don't require the use of password managers, it does include guidance to allow paste functionality into password boxes to facilitate the use of these managers.

Password managers have their own usability issues, but they make it possible for people to follow the rules, having sufficiently long passwords, unique to each site. Anything that makes good password practices easier to follow makes the user and organization more secure.

Lessons for leaders

• Password advice: Use a minimum of 8 characters, consider much longer minimums, and allow passwords of up to 64 characters.
• Best password practice says you should check against databases of breached accounts. Use the Have I Been Pwned (@haveibeenpwned) API.
• Many organizations still force users to change passwords periodically, but the value is low and it makes passwords much harder for users.

Ericka Chickowski