CIS Password Policy Guide: Passphrases, Monitoring, and More

CIS Password Policy Guide offers recommendations around system-based assists for password creation, outlines helpful policies, and offers extensive references.

istock 1199233151
iStock

Love them or hate them, but passwords are a time-tested and imperfect method for user authentication that can protect organizations from cyber-attacks if used correctly. To be truly effective however, an organization's password policy must include additional defensive strategies to prevent unauthorized access.

New password policy standards are based on two primary principles: leveraging real-world attack data and making it easier for users to create and remember passwords.

Organizations need to employ updated tools and policies to conform to these new standards. These include new approaches to password creation, multi-factor authentication (MFA), account lockouts, and other safeguards.

CIS Password Policy Guide

The CIS Password Policy Guide released in July 2020 consolidates this new password guidance into a single source. This easy-to-follow guide not only provides best practices but explains the reasoning behind the recommendations. It includes information on the most common password hacking techniques, along with best practice recommendations to prevent attacks. The Guide was developed through the same community-driven, consensus-based process used to develop the CIS Benchmarks and CIS Controls.

Password Creation

To assist users with creating and remembering passwords, the Guide offers the following tips:

  • Use "passphrases" instead of passwords-- Length is the most important aspect of a good password. However, a single long word is not only difficult to remember, it's also difficult to spell. A passphrase containing a number of words, such as CapeCodisaFunPlace, is both easier to remember and harder to crack.
  • Don't use words related to your personal information-- Avoid things that attackers can look up about you on the internet. If you are the president of the local Mustang car club, you shouldn't use “Mustang” as a password.
  • Limit using dictionary words:In general, the way adversaries attack passwords is by trying various combinations of words in the dictionary first. This is a lot of words, but a lot fewer than trying all the possible letter combinations. Use non-dictionary alternatives for passphrases, for example: Th3F0rdMust@ngis#1

System Recommendations

The Guide also includes options for those responsible for managing password and access systems:

  • Use Multi-Factor Authentication (MFA) -- MFA, sometimes referred to as Two-Factor Authentication (2FA), requires the user to present two, or more, pieces of evidence when logging in to an account. MFA is the most secure user authentication method available on the market today, and has minimal impact on usability.
  • Offer Password Managers-- System generated passwords created by a password manager are much stronger than human-created passwords. Users will likely not remember the result however, which will look something like this: GHj*65%789JnF4$#$68IJHr54^78. So, the password manager takes care of the storage and management of that password for the user.
  • Use more sophisticated access lockout techniques -- Enforcing temporary lockouts (15 minutes of more) after five consecutive failed attempts, or using time doubling login throttling techniques, combined with failed login monitoring, can be much more effective than focusing solely on the password.

Download Your Free Copy of the Password Policy Guide

There are many more detailed recommendations contained in the CIS Password Policy Guide. These include:

  • System-based assists for password creation
  • Helpful policies
  • Extensive references

Download the Guide

Related:

Copyright © 2020 IDG Communications, Inc.