This is a very hot button question ever since the National Institute of Standards and Technology (NIST) released their updated guidelines. The key points from the guidelines are as follows
- Minimum of 8 characters
- Don't require special characters or numbers
- Block passwords from previous breaches
- Block common passwords (ie. 'password1', 'p@ssw0rd', 'welcome123')
- Don't re-use the same password used for other online services
- Avoid single dictionary words even if used with a special character or number (ie. 'trouble123', 'trouble!'')
- Do not use repetitive or sequential characters (i.e. ‘aaaaaa’, ‘1234abcd’)
- Context-specific words, such as the name of the service, the username, and derivatives thereof (i.e. 'gmail12345', 'hotmailpassword1')
- Make passwords as long as possible up to 64 characters to improve the password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.
- Generate random passwords whenever possible vs coming up with your own passwords
- Use a password manager to store your passwords so you don't have to rely on your memory to remember longer and more secure passwords
- Use multi-factor authentication or two factor authentication if multi-factor is not available wherever possible in addition to using a secure password (i.e. Authenticator apps such as Microsoft Authenticator or two factor via recovery email or SMS)
- Don't require mandatory periodic password resets for user accounts unless there is evidence the password was compromised, the user forgot their password or the user leaves the organization.
This can be a lot to take in and leaving some confused as there are some points which can seem contradictory. For starters they recommend a minimum of 8 characters for a password policy, without enforcing password complexity such as numbers and/or symbols. If you look at the graphic below provided by howsecureismypassword.net it shows that a password of 8 characters with lowercase letters can be hacked in 5 seconds. If you add in a number, Uppercase letter and symbol that increases to 8 hours which is still an extremely insecure password. To their credit though they do advise on another recommendation to increase the length of the password to also increase the strength. From a password policy standpoint it would be more prudent to enforce a longer minimum password length such as 18 if you only require lowercase letters or 15 if you require a mix of upper and lowercase letters. For the first option you are looking at roughly 23 million years to crack an 18 character lowercase password or 43 million years to crack the 15 character password with a mix of upper and lower case letters. That's a lot better than 5 seconds.
You may be asking yourself how can you possibly enforce an 15 or 18 character password policy for end-users. How will they ever remember a password that is so long. The answer to that question is the use of passphrases. These are random words paired together by a space, symbol or number to make up the password. If you want to get fancy you could capitalize one of the letters if you would like. The interesting part of the NIST guidelines is they advise not to use a dictionary word as they are susceptible to dictionary attacks however that is if you are using a single word not a string of 4 or 5 words paired together making up a much longer password. To be fair the NIST guidelines later on also recommend the use of some form of passphrase to make passwords longer but due to their previous recommendation not to use dictionary words its easy to get confused. In addition the according to ZDNET the FBI is also recommending the use of passphrases vs random passwords. This graphic below which some may have seen circulate on the internet does a decent job of explaining why passphrases are better than shorter complex passwords. The short answer is using a passphrase is easier for a human to remember and harder for a computer to guess to the longer length of the password and the math behind how many infinite more combinations introducing a longer password introduces.
Now that we have identified what type of passwords are more secure and easier to remember for end-users let's address the elephant in the room...should end-users still periodically change their passwords? According to the NIST guidelines the answer that question is no unless the password itself was breached on the account the password is protecting such as Active Directory or Azure AD and/or another online service that happened to use the same password. That being said you could make an argument that changing a password once every 6 months or a year has some value especially if you don't have a system in place that is monitoring for hacked passwords and/or the system is not perfect and does not identify all passwords discovered in every security breach on the internet.
Further recommendation is to implement a multi-factor authentication with an authenticator app or if not available a 2 factor authentication via recovery email or SMS. By adding the second factor for authentication even if your password is hacked you have another line of defense. That being said these options are not always available and sometimes you are stuck with only a password for protection. Thus, in those cases its even more critical to make sure you have a good password.
You may be asking yourself is there still a need for a self-serve password reset system if a user isn't forced to change their password periodically. That's a great question! You may think no since passwords won't be changing ever. But the reality is they will still have to change or change even if not as often if you enforce a password policy every 60 or 90 days like before. End-users, bless their souls, will still forget their passwords, lock themselves out of their account and when there is a breach of their password they will need to change it. The cost as noted by Vijay Shankar from Freshworks referencing Forester Research can be up to $70 USD per reset ticket for an MSP or IT Department which can add up fairly fast depending on how many endpoints your helpdesk manages. The other thing to consider for MSPs is imagine you have a CEO or executive at one of your top clients and they forget their password and get locked out of their account right before an important investor meeting where he was to do a key presentation to secure funding for their company. He calls your helpdesk and can't get a hold of any technicians because everyone is busy. He calls five times and still can't get a hold of anyone. The CEO now can't do this presentation and ends up losing a major fundraising opportunity. The CEO then calls the MSP owner after and immediately fires them. So you ultimately have a choice do you want end-users or desperate business owners calling the helpdesk when they inevitably need to reset their password or unlock their account in a panic or would you like to empower them to do it themselves and be the hero!? This is the better question to ask yourself when determining if you still need a self-serve password reset system.