Back in 2016 NIST issued a recommendation to:
- Do not require passwords to have complexity, just the length.
- Do not force periodic resets.
- Check passwords against commonly known passwords.
It may sound surprising but it is substantiated by solid research into password security. Here is how you can think about it:
- Your users are creatures of habit, and can only remember a limited number of passwords. Many users will simply capitalize the first letter, put a number at the end, or append a ! to their password, when asked to make it more complex. a. Even worse, if your password complexity rules are too arduous, users will resort to writing their passwords down, which undermines the effort you are putting in to make them secure.
- Resetting password periodically does nothing to improve security. If you suspect a breach, or that the creds were stolen you can reset them, but in most incidents there is a backdoor created as the first step. If anything forcing users to reset passwords “just because” makes the passwords less secure because of items 1 and 2 above.
- To against commonly known passwords a. Pick up a list of a million most commonly used passwords b. Filter out these that do not fit the password complexity rules c. Add the remaining passwords (or top x passwords) to the list of disallowed words/passwords
Here is some other good password hygiene:
- Password lockout (for a few minutes) may discourage brute-forcing, but also allows malicious users to lock other users’s accounts. A better way is to force a Captcha test after multiple tries
- If a user is already logged in and is resetting their password, have them confirm their previous password. This will protect your users if they leave themselves logged in to public computers.
- Always store passwords With A Strong salted hash and never log it anywhere.