General Password Rules: Strength, Management, Reuse, Policies, MFA

Password Strength

  • Minimum recommended length has evolved:
    • Historically: 8 characters (inadequate)
    • Current baseline: 12 characters
    • Security improves with length; aim for 15–20+ characters due to exponential difficulty (e.g., N=CLN = C^L where NN = total combinations, CC = character set size, LL = password length).
  • Always mix character classes to enlarge CC:
    • Upper-case letters (A–Z)
    • Lower-case letters (a–z)
    • Numbers (0–9)
    • Special symbols (e.g., !, @, #, $)
  • Avoid easily guessable data (names, birthdays, dictionary words, common default/leaked passwords).
  • Coming next lecture: use of passphrases.

Password Management (General Guidelines)

  • "Never write passwords down" & "never share passwords" are gold standards.
  • If writing is unavoidable:
    • Store written list in a secure physical location (safe, locked drawer).
    • Never share with colleagues; spousal sharing for joint accounts should be thoughtful.
  • Best practice: adopt a password manager to generate, store, and autofill strong uniques.

Password Reuse

  • Single most common user mistake: recycling one password across many services.
  • Risk scenario: User chooses P=1234loveP = 1234\text{love} for 20 sites. One site breaches; PP appears on Dark Web. Attacker gains keys to the remaining 19 sites (credential-stuffing attack).
  • Mitigation: unique password per account.
  • Enterprise policy: block reuse of recent passwords (e.g., disallow last 3–6 historical passwords).

Password Change Policies

  • Legacy advice: fixed cadence (30/60/90 days).
  • Updated NIST guidance:
    • No mandatory periodic change unless evidence or high risk exists.
    • Password change triggers should be risk-based (signs of compromise, environmental classification).
  • Users should continuously monitor for breaches (e.g., "Have I Been Pwned") and act swiftly.

Account Lockout Policy

  • Mechanism against brute-force guesses.
  • Parameters to configure: Threshold (e.g., 3–5 failed attempts), Lockout duration (e.g., 5–20 minutes).
  • Effect: exponentially increases time attacker needs to run full key-space.
  • Implementation examples: Microsoft Active Directory, web-application firewalls.

Default Usernames & Passwords

  • Many devices/services ship with publicly documented defaults (e.g., username: admin / password: admin).
  • Attackers can Google these lists instantly.
  • Action items:
    • Change defaults immediately on first boot.
    • Disable or rename default accounts where possible.

Illustrative Real-World Example (InstructorAlton.com)

  • WordPress site with firewall & lockout policy.
  • Weekly report: Numerous failed logins; most frequent username attempted: admin.
  • System auto-blocked offending IPs and enforced lockouts.
  • Demonstrates: Popularity of default credentials in attack scripts, value of lockouts + IP blocking.

Multifactor Authentication (MFA)

  • Adds something you have (SMS code, authenticator app, hardware token) to something you know (password).
  • Dramatically reduces success of credential-stuffing or phishing.
  • Enable MFA on: Corporate VPN, email, internal portals, personal online accounts (banking, social media, cloud storage).

Continuous Security Hygiene

  • Regularly review account activity & breach notifications.
  • Tie password policies to broader security program (patching, user education, phishing simulations).
  • Ethical/practical takeaway: User behavior often conflicts with security best practice; design systems (password managers, MFA) that minimize cognitive burden while maximizing protection.