michaelsendpoint.com

Appearance

Password best practices

Introduction

In today's digital age, the security of your accounts is more important than ever. Passwords are still often the first line of defense against unauthorized access, making it crucial to follow best practices for creating and managing them. Whether you're an administrator responsible for securing an organization's systems or a user looking to protect your personal accounts, understanding and implementing strong password practices is essential.

This article provides a guide to password best practice, taking into account recommendations from relevant authorities.

Microsoft currently recommends setting of M365 passwords as follows

For Administrators

  • Maintain an fourteen-character minimum length requirement
  • Don't require character composition requirements. For example, *&(^%$
  • Don't require mandatory periodic password resets for user accounts
  • Ban common passwords, to keep the most vulnerable passwords out of your system
  • Educate your users to not reuse their organization passwords for nonwork related purposes
  • Enforce registration for multi-factor authentication
  • Enable risk based multi-factor authentication challenges

For Users

  • Don't use a password that is the same or similar to one you use on any other websites
  • Don't use a single word, for example, password, or a commonly used phrase like Iloveyou
  • Make passwords hard to guess, even by people who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use

What Microsoft says about the potential negative consequences of traditional password policies

User Password Expiration Requirements Password expiration requirements do more harm than good, as they make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

Minimum password length requirements To encourage users to think about a unique password, we recommend keeping a reasonable eight-character minimum length requirement. Require the use of multiple character sets Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good. Most systems enforce some level of password complexity requirements. For example, passwords need characters from all three of the following categories:

  • uppercase characters
  • lowercase characters
  • non-alphanumeric characters

Most people use similar patterns. For example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber criminals are aware about such patterns, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

What Microsoft thinks is the better approach

Ban common passwords

The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include: abcdefg, password, monkey. Educate users to not reuse organization passwords anywhere else One of the most important messages to get across to users in your organization is to not reuse their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cybercriminals can compromise these passwords.

Enforce Multi-Factor Authentication registration

Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel for security events such as login attempts or changed passwords.

Enable risk based multi-factor authentication

Risk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they're the legitimate account owner.

The BSI is currently issuing the following guidelines

INFO

BSI (Bundesamt für Sicherheit in der Informationstechnik) is the German Federal Office for Information Security

What is a strong password

Short, but complex password

  • Is eight to twelve characters long.
  • Consists of four different types of characters.
  • Upper and lower case letters, numbers and special characters are arbitrarily strung together.

Long, but less complex password

  • Is at least 25 characters long.
  • Consists of two types of characters.
  • For example, it can consist of six consecutive words, each separated by a character.

These are the rules

  • One individual password per account!
  • Multi-factor authentication (in addition to the password by e.g. Face recognition, app verification, email or a PIN on another device) is recommended.
  • Use all available characters, including uppercase and lowercase letters, numbers, and special characters.
  • The full password should not appear in the dictionary.

What to avoid

  • Names of family members, pets, dates of birth, etc.
  • Simple or well-known repetition or keyboard patterns such as "easdfgh" or ".1234abcd"
  • Numbers or special characters at the beginning or end of an otherwise simple password.
  • Same password for more than one account.

This is what CISA issues as guidelines

INFO

CISA (Cybersecurity and Infrastructure Security Agency) is a US government agency part of the Department of Homeland Security.

  • Long - at least 16 characters long (even longer is better).
  • Random - like a string of mixed-case letters, numbers and symbols (the strongest!) or a passphrase of 4 –7 random words.
  • Unique - used for one and only one account.

Provide your employees with an enterprise-level password manager or try switching to an identity and access manager (IAM) with single sign-on (SSO). Require that the default credentials for all software and hardware products be changed at first use.

My recommendation

Basically, it makes sense, as described by Microsoft, to treat users and administrators separately.

For Users

For the normal user, it makes sense to find the most secure variant that also involves the least effort. From experience, there will always be some users looking for the easiest way or making mistakes, and this number will grow as more complex password rules are implemented. For this reason, it is recommended to switch to a passwordless procedure such as "Windows Hello for Business" or a "Fido key" and at the same time take advantage of risk-based conditional access policies. This makes it possible to use the highest level of security that can withstand Zero Trust or NIS2 requirements while providing a high level of ease of use.

If a normal password is still required, a long password without complexity requirements is recommended. Ideally, this should be a written sentence with punctuation marks. The password should not expire, and certain words related to the company or person should be prohibited. This helps create a long and complex password that is most likely unique. Since this pssword does not need to be changed, experience has shown that users make more effort in creating it.

IMPORTANT

Regardless of whether with or without a password, multifactor authentication should be made mandatory and single sign-on should be activated where possible.

For Administrators

For dedicated administrator accounts, a traditional password makes sense, as well as providing a password manager. This ensures that passwords meet high complexity requirements, are unique at the same time and still offer an acceptable user experience for the administrator. By using the password manager, a longer password of 14 characters or more with complexity requirements can also be easily enforced. Here too, periodic resets should be dispensed with and more emphasis should be placed on MFA, risk-based access control and close auditing. In addition, it is important to make sure that no passwords are reused or simple words are used within them.

IMPORTANT

Advice for your users and administrators on what correct passwords look like and how to deal with them correctly is indispensable.

For Non-Interactive Accounts

There are accounts that are not directly used by humans, but usually have high permissions, such as service accounts or service principals. They should receive a particularly long (64 characters) and complex password (or use system managed accounts) that is simply assigned and then kept locked away. These accounts should not be subject to regular changes to prevent service outages. These accounts should be monitored separately, as they are particularly vulnerable and popular with attackers. However, since these accounts are never used to log in, they can be reliably monitored.

Copyright © 2025 Michael Frank