“How long should a password be?”
“Should passwords even be used any longer?”
These are questions that organizations have been grappling with as we enter the end of 2022. Each day, we are seeing more articles extolling the benefits of “passwordless authentication”, while at the same time auditors and examiners continue to look at password length and complexity as a critical control that institutions must have in place. Let’s spend some time today looking at these questions.
Most of us experience passwordless authentication every day when we use our smartphones. When we access applications on the phone, the application does not ask us for our password. Instead, the application uses biometrics (our fingerprint or facial image) to prove who we are.
If it is a critical application, we might also need to provide an MFA response in addition to the biometrics. Sure, in the background there is a password that we could use, but that option is much less convenient. The application developer has made a decision to trust that the smartphone software accurately identifies the user.
At a corporate level, organizations can implement similar technologies to those used on a smartphone to authenticate users. They can implement facial recognition and fingerprint readers. They can require that a user plug a USB hard token into the PC to gain access. They can strengthen this by requiring the user to use an authenticator app on their mobile device for critical systems.
The key to the success of this method is that organizations prove that it is the actual user standing next to the computer and not someone who has simply stolen or guessed their user’s password. For this reason, many security professionals consider these methods to be stronger than passwords.
But in banking, we have a dilemma. Developers of the software that we utilize internally have often not advanced to the stage where they support passwordless authentication or trust that the developers of this authentication have made it secure enough. Most banking software only supports user names and passwords, and sometimes the developers will add MFA if their customers ask enough. In short, we as bankers will need to support passwords for a long time. And this leads us to our second question… ”How long should a password be?”
With the recent publication of the FFIEC Access and Authentication guidance, we are asking more questions during risk assessments about password length and complexity. When we ask system owners what the minimal password length of their systems is, the most common responses are “I’m not sure”; “I’ll need to get back to you on that”; or “We have no control over the password length”. When we do finally get the answer, the required minimum length is often 8. Is an 8-character password enough?
Every year, hackers are able to take advantage of faster computing power to guess passwords more rapidly. In general, a hacker will be able to crack an 8-character complex password today in less than an hour once they have access to a password hash. Because of this, we do not consider an 8-character password to be adequate any longer unless it is combined with MFA or other controls to mitigate the risk.
We recommend that critical systems use a minimum password length of 14 or more. Because it becomes harder to remember these longer passwords, we also highly recommend the usage of a secure password vault so that users do not need to memorize them. We also recommend that users be trained to allow the password vault to randomly generate passwords so that they are complex.
But what about vendors who do not support longer password lengths? This is a problem that all institutions face today as they attempt to slow down hackers. Until the software makers support requiring longer passwords, institutions can implement policies requiring their users to choose passwords longer than the programmed minimum and hope that the users comply. But it is up to the institutions to continuously demand that their vendors provide the capability to enforce more secure password lengths and complexity.
If your institution needs help in assessing password standards, please contact Bedel Security. We work with institutions every day to holistically assess their access and authentication environment! Shoot us an email at support@bedelsecurity.com.
Additional Resources
Extending Security Controls Beyond the Office
https://www.bedelsecurity.com/blog/extending-security-controls-beyond-the-office
What is Credential Stuffing?
https://www.bedelsecurity.com/blog/what-is-credential-stuffing
How to Use Password Managers Safely
https://www.bedelsecurity.com/blog/how-to-use-password-managers-safely