CIS Password Policy Guide: Passphrases, Monitoring, and More
Love them or hate them, but passwords have undeniably been a time-tested and imperfect method for user authentication that can protect organizations from cyber-attacks if used correctly. To be truly effective however, an organization’s password policy must include additional defensive strategies to prevent unauthorized access.
New password policy standards are based on two primary principles: leveraging real-world attack data and making it easier for users to create and remember passwords.
CIS Password Policy Guide
Looking to streamline your compliance efforts? Here’s how the CIS Controls and CIS Benchmarks can help.
- Use “passphrases” instead of passwords — Length is the most important aspect of a good password. However a single long word is not only difficult to remember, it’s also difficult to spell. A passphrase containing a number of words, such as CapeCodisaFunPlace, is both easier to remember and harder to crack.
- Don’t use words related to your personal information — Avoid things that attackers can look up about you on the internet. If you are the president of the local Mustang car club, you shouldn’t use “Mustang” as a password.
- Limit using dictionary words: In general, the way adversaries attack passwords is by trying various combinations of words in the dictionary first. This is a lot of words, but a lot fewer than trying all the possible letter combinations. Use non-dictionary alternatives for passphrases, for example: Th3F0rdMust@ngis#1
- Use Multi-Factor Authentication (MFA) — MFA, sometimes referred to as Two-Factor Authentication (2FA), allows the user to present two, or more, pieces of evidence when logging in to an account. MFA is the most secure user authentication method available on the market today, and has minimal impact on usability.
- Offer Password Managers — System generated passwords created by a password manager are much stronger than human-created passwords. Users will likely not remember the result however, which will look something like this: GHj*65%789JnF4$#$68IJHr54^78. So, the password manager takes care of the storage and management of that password for the user.
- Use more sophisticated access lockout techniques — Enforcing temporary lockouts (15 minutes of more) after five consecutive failed attempts, or using time doubling login throttling techniques, combined with failed login monitoring can be much more effective than focusing solely on the password
Download Your Free Copy of the Password Policy Guide
There are many more detailed recommendations contained in the CIS Password Policy Guide. These include:
- System-based assists for password creation
- Helpful policies
- Extensive references
Applying these recommendations will ensure an organization implements the most up-to-date controls regarding password management available today.