In this article, we will discuss some “uncommon” password policy best practices, that are not followed by a lot of companies. Those are collected from the Penetration Testing assessments I have conducted over the years.
Let’s take the following scenario:
- We have a company named “Hooli”
- We enforced a default password for all the new users to use for their first login in all of our systems (after they are hired)
- This password is: “Hooli@123” (following the most common password policy — minimum 8 characters, one symbol, one digit, and one uppercase)
- After the users login using this password, what are the chances of them choosing a similar password such as “Hooli@1234”? ( some of them are just lazy, right?).
- Answer: very high chances, as seen from my experience.
To prevent against this scenario you must do the following:
- If you really want to set default passwords for newly onboarded accounts, use a random generator to create them
- Through the password policy, deny any passwords that contains the names of the company’s brands, and other derivates. For the above scenario a list of such names would be:
and so on
If you have no password policy in place then you are vulnerable.
If you have the most common password policy in place then you are less vulnerable, but it is still an issue.
Which is the “most common password policy”?
- Minimum 8 characters
- Minimum one uppercase character
- Minimum one digit
- Minimum one symbol
That’s good, but let me enumerate you some more common passwords than your password policy, that are accepted by it.🤠