Problem solve Get help with specific problems with your technologies, process and projects.

Password policy worst practices

What does and doesn't work in a password policy.

Username/password combinations are the most frequently used access control mechanism in use today. Indeed, the vast majority of networks have no other access controls in place. This underscores the criticality of implementing an effective password policy for your organization.

All security professionals are aware that the more complicated a password is, the less likely it is to be compromised by a brute-force attack. There are numerous tools on the market that facilitate the use of dictionary attacks and other techniques to decrypt stored passwords. You don't have to take my word for it – look at the number of "password recovery" tools available from Because of the prevalence of these tools, many administrators take password policies to an extreme that actually threatens, rather than reinforces, security. Let's take a look at four of the worst practices in password policy:

  1. Assigning passwords to users. Some administrators assume that users can't be trusted to create their own strong passwords. Rather than implement technical controls to enforce reasonable complexity requirements, they simply use a random character generator (or some similar system) to create passwords for users. These passwords often defy simple memorization and prompt users to write them down for easy reference. Unfortunately, this easy reference is often on a sticky note attached to the monitor, keyboard, nearby picture frame or some other easy to find location.

  2. Forcing frequent password changes. Yes, users should change their passwords. The older a password is, the more likely its susceptibility to compromise. On the other hand, requiring users to change their passwords too frequently has the same effect as assigning passwords to users – they write them down! Three to six months is a reasonable password lifetime for most computing environments. Monthly or weekly changes are often excessive.

  3. Overbearing complexity requirements. Users should not be required to remember a password containing three numbers, four uppercase letters, one lowercase letter, a punctuation character and two special symbols. Enough said.

  4. Unenforced complexity requirements. It's great to come up with reasonable complexity guidelines and pass them along to end users, but they're useless unless you enforce them for all users. Yes, even the CEO should have a complex password. After all, the people most likely to merit waivers of standard security policies are also the most lucrative targets for hackers! Use the technical controls within your network operating system to enforce these requirements enterprise-wide.

So, what's a good bottom line? An effective policy I've seen work in many organizations has a few components:

  • Users create their own passwords
  • Passwords may not be a simple dictionary word (or permutation thereof)
  • Passwords must contain at least one non-alphanumeric character and at least eight characters
  • Passwords must be changed every six months (but may be changed more frequently, at the user's discretion)
  • Passwords may not be reused within a 12-month period

A reasonable password policy will be one of your organization's best defenses against malicious activity. Take the time to develop and enforce one today.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the Guide to Databases.

For more information on this topic, visit these resources:

Dig Deeper on User IDs and passwords, privileges and federation

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.