Organizations MUST have a Strong Password Policy

DZone 's Guide to

Organizations MUST have a Strong Password Policy

Debasish Premanlik discusses the Sony and LinkedIn data breaches and what the best password policies are for end-users and development professionals.

· Performance Zone ·
Free Resource

In recent news, on 18th May 2016 LinkedIn lost 167 million account credentials in data breach. After that LinkedIn’s CEO has published a blog saying,

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication.We encourage our members to visit our  safety center to learn about enabling  two-step verification, and to use  strong passwords in order to keep their accounts as safe as possible

Though LinkedIn is taking a measure to overcome the breach, the damage has been done and there are many users who have been compromised due to this breach. A recent survey done by an IT firm in 2015 says that 67 percent of organizations have a password policy or standard. This clearly indicates that the organizations have started taking password management as one of the key area of security. The password is the important aspect of enterprise security and enforcing stringent policy rules for password should be the standard of every organization in the world.

Passwords no longer attribute to a MD5/SHA1/SHA256 value stored in a database but it’s more than that. It is very important for an organization to understand the various aspects of the password. The following are the aspects that need to be considered seriously:

  1. Length

  2. Complexity

  3. Experiation

  4. Stength


The length of the password is one of the most important attributes. From a brute force approach, the longer the length of the password, the more time it will take to determine it. It is very important from organization perspective to enforce minimum length of the password. This will ensure all employees within the organisation are forced to set password which is larger in length. As per the NIST Guide to Enterprise Password Management, if we increase the length of the password from 4 to 12, given a character set of 26 characters the number of permutations and combinations increases to 200 billion times.  

According to NIST draft paper, Keyspace is the total number of possible values that a key, such as a password, can have. For example, a four-digit PIN could have any of 10 different values (0 through 9) for each of its four characters: The keyspace would be 104 , or 10,000 (i.e., 0000 – 9999).

In case of Sony data breach case in 2011, the analysis of hacked user’s password found that more than 50 percent users have password length less than eight characters.


The complexity of password is defined by different type of characters used in the password. The types of the characters could be

  1. Upper case

  2. Lower case

  3. Special Characters ( ~!@#$%^&*()_+|}{][“:’;?><,./ )

  4. Numbers

The administrator as part of the organization policy can enforce the password to consists of characters as described above. The administrator can mandate

  1. Password should have at least one upper case alphabet.

  2. Password should have at least one number

  3. Password should have one of the special characters

Apart from the above rules the administrator can add the additional rule to increase the complexity

  1. User’s firstname/lastname should not be part of the password

  2. Organization name should not be part of the password

  3. Blacklist common words or words that can be guessed easily

  4. Cannot set the previous N password as the new password

Such type of complex rules does make setting of password a tough task for an end user but also reduces the risk of cracking password by hackers.

Talking about the Sony breach example, only four percent users have three different types of characters in their password.


One of the common best practices that the IT security team in an organization as part of best practices of passwords is having password expiration interval. It is one of the practice followed by most of the organizations. Mostly 30/45 days are chosen as the age of a password and users are forced to change password at the end of 30/45 days.

The basis of the rule is to ensure if a hacker has got the password of a user through some means by the time the hacker uses the password the user will have changed the password. This is based on the assumptions that hacker typically doesn’t uses the stolen password immediately to hack into the user’s account. This assumption is based on series of such hacks happened in history.

Considering the latest technologies available in today’s world, the assumption may not hold true as hackers try to use the password immediately to cause the damage and may not wait for days like before. But nevertheless it is good to have the expiration policy to ensure the user doesn’t keep the same password forever.


A password strength is a score given to a user’s password based on various parameters about how the password is formed; in other words, how much difficult for an attacker to guess/retrieve a password through brute force approach. According to Wikipedia, the following parameters can be taken as parameter to calculate password strength:

  • Complexity of Password

  • Length of Password

  • Unpredictability

Some of the finding of the analysis of 37,608 users passwords of Sony breach on the basis of length, character types, randomness and uniqueness are as follows:

  1. 93 percent of accounts being between six and 10 characters long which is pretty predictable and 50 percent of these are less than eight characters.

  2. Four percent of passwords had three or more character types.

  3. Half of the passwords had only one character type and nine out of ten of those where all lowercase.

  4. Less than one percent of passwords contained a non-alphanumeric character.

  5. One third of passwords conform to a relatively predictable pattern.

data breach, password, password management, password strength

Published at DZone with permission of Debasish Pramanik . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}