MS-ISAC Security Primer – Organizational Password Best Practices
- Implement complexity rules that:
- Allow for a minimum password length of 14 characters.
- Force passwords to contain uppercase and lowercase letters, numbers 0 through 9, and non-alphanumeric characters.
- Do not allow repetitive or sequential characters (e.g. ‘aaaaaa’, ‘abc123’).
- Do not allow context-specific words, including usernames and their derivatives.
To calculate the entropy (strength) of a password, the character set is raised to the power of the password length. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols
available on the average keyboard. A computer can guess over 1 billion passwords per second.
|Characters||8 characters||9 characters||10 characters||11 characters||12 characters|
|All||70 days||18 years||1,707 years||169,547 years||15,091,334 years|
|lowercase only||208 seconds||90 minutes||39 hours||42 days||3 years|
- Implement two- or multi-factor authentication to be used in conjunction with a password:
- something you have (e.g. mobile phone to receive text messages, a physical key, etc.);
- something you are (e.g. biometrics such as a fingerprint); or
- someplace you are (e.g. GeoIP).
- Password policies should enforce:
- a maximum password age of between 30 and 90 days;
- a minimum password age in conjunction with a password history to limit password reuse. Without a minimum password age enforcing a password history is not effective.
- acceptance of all Unicode characters and spaces.
- Educate employees on password best practices.
- Do not store passwords using reversible encryption. Passwords should be stored assuming eventual compromise, as salted one-way key derivation functions.
The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24x7 cybersecurity assistance is available at 866-787-4722, SOC@cisecurity.org. The MS-ISAC is interested in your comments - an anonymous feedback survey is available.