Stupid password rules - Guide to making rules that make passwords secure

What makes a secure password? Can you force users to make their passwords more secure, or does doing so just result in stupid password rules.

Looking at rules and guidelines from NIST, PCI DSS, UK NCSC, Microsoft, RedHAT and Google, I unravel the rules that help make passwords secure, or that stupidly make passwords less secure.

Understand the difference between minimum password expiry age and maximum password age and why neither make your password more secure.

Transcript: Stupid password rules - Guide to making rules that make passwords secure - Video Transcript

The summary for my findings is below. See the video above for an explanation of why I suggest these.

Password Expiry

I agree with the NIST recommendations that users should not be forced to change their password after a set time.

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

Note however that if you do handle credit card payments then you may need to comply with PCI DSS which requries you to set an expiry of 90 days.

Minimum Password Age

Just don't do it! It's a stupid password rule, it doesn't make the password any more secure and can increase the risk.

Password Complexity / Composition Rules

NIST say not to impose composition rules, PCI DSS requires letters and numbers. I think these are both sensible. I don't believe that adding special characters is worth the additional inconvenience.

Using a blacklist is a useful way to avoid common passwords. User education is useful.

Password Maximum Length

PCI DSS say a minimum of 7 characters. Windows recomments a minimum of 14 characters. I would suggest 8 characters as a useful minimum.

Maximum Password Length

NIST only recommend limiting the length of passwords where it becomes computationally expensive to process the passwords.

Null / Default Passwords

Where possible equipment should ship without a default password, or with a unique password. If you have any equipment that does ship with a default password then the password should be changed immediately.

External Sources

These are some of the sources I've used when researching this.

• NIST SP 800-63B
• PCI DSS (from RSI Security)
• UK National Cyber Security Centre
• Microsoft O365 security recommendations
• Red Hat Linux security guide
• Google Bard (review from PenguinTutor)

More information

Please subscribe to Penguin Fortress on YouTube for future videos.

For more details about how username and password security work on Linux systems see the following guides:

• Multi-factor / Two-Factor Authentication for Linux using Google Authenticator MFA / 2FA
• Guide to creating secure passwords to protect against hackers
• Understanding the Linux passwd and shadow files
• Understanding password hacking with example using John the Ripper
• Linux user administrator reference guide to usernames

• Legal and Site Information
• Help

© Copyright 2022 - 2023
Stewart Watkiss