Why Businesses Should Reconsider Their Enterprise Password Policies

Many business password managers offer the capability to apply enterprise password policies. This capability allows administrators to stipulate the minimum length and complexity of a password being generated for a new account. However, many businesses underestimate the length and complexity required, and allow users to create new passwords that can easily be cracked.

In 2017, the business consulting company Protiviti demonstrated how it was possible to build a computer for less than $5,000 that could crack any 8-character password using a brute force attack within four days. This was regardless of the letters, numbers, and special characters used and the randomness of the characters. For the record, any 8-character password consisting of just letters (with any mix of upper and lowercase) could be cracked within seven minutes.

Two years later, the hacker “@TinkerSec” combined eight 2080 GPUs to create a new benchmark for cracking 8-character passwords – just 2½ hours regardless of the complexity! At the time, he claimed passwords that used a common schema such as a name with the first letter capitalized and followed by a number (i.e., JohnD123) could be cracked instantly. Because of the availability of 2080 GPUs in the cloud, there was no build cost – the GPUs were rented per hour “on demand”.

Now, Hive Systems has released a 2022 update to its “Password Table” which indicates that any 8-character password consisting of upper and lowercase letters, numbers, and symbols can be cracked in 39 minutes. The company attributes the “reduced time to crack” to improved processing power available in latest generation GPUs and used a p4d.24xlarge instance from Amazon Web Services to run its 2022 password tests – costing just $32.77 per hour.

Please see the HIPAA Journal Privacy Policy

Enterprise Password Policies

How Long Does it Take a Hacker to Brute Force a Password in 2022. Source: Hive Systems.


Many Businesses Believe 8 Characters is Enough

If your business operates a password policy with a minimum requirement of 8 characters, you are not alone. Many well-known businesses – such as Netflix, Microsoft, and the Bank of America – have similar requirements for customers; and although the IRS recommends the use of 2-Factor Authentication to add an extra layer of protection to accounts, it too only requires tax professionals filing on their clients´ behalf to use an 8-character password.

One of the reasons for the 8-character requirement is that, in June 2017, the National Institute of Standards and Technology (NIST) published Special Publication 800-63B. This document lists the technical requirements for federal agencies using digital identity services (i.e., logins to online services), and in its digital identity guidelines it states that “Memorized secrets [passwords] SHALL be at least 8 characters in length if chosen by the subscriber.”

At the time, the NIST guidelines were widely adopted as a standard among the security industry. After all, if 8 characters is good enough for federal agencies, then it should be good enough for everyone else. However – as mentioned previously – in 2017 it took up to four days to crack an 8-character password, whereas now it takes a maximum of 39 minutes; and, if the password uses a common schema, it probably takes much less time.

So, How Many Characters is Enough for a Password in 2022?

Most experts agree that length rather than complexity is the most important factor in password creation, and many (including NIST) recommend the use of a passphrase – rather than a password – consisting of four or more unrelated words (i.e., “defame-curve-yarn-tumbling”). However, not all online services support passwords or passphrases beyond a certain length – for example, the maximum number of characters you can use to create a PayPal account is twenty characters.

In light of the constantly decreasing “time to crack”, several businesses and organizations have already reconsidered the minimum requirements in their enterprise password policies and added conditions to the construction of the password. For example, Harvard now insists on a minimum password length of 10 characters – with at least five unique characters – that doesn´t include any part of the user´s name, common words, repeated characters, or number sequences.

The Weill Medical College of Cornell University and the software company Twilio enforce an enterprise password policy with a minimum of 16 characters – with Twilio stipulating that passwords cannot contain three or more repeating (“AaA”) or sequential (“abc”) characters. Both organizations prohibit the re-use of passwords, stipulate a minimum number of characters that must be changed when a password is changed, and implement a lockout policy for failed login attempts.

Enforcing Enterprise Password Policies

In conclusion, it is clear that businesses still requiring users to create a password with a minimum of 8 characters should reconsider their enterprise policies; and although Harvard, Weill Medical College, and Twilio can enforce minimum password requirements on users that create accounts with their online services, how can these organizations ensure users create strong, unique passwords of at least sixteen characters when registering for an account on behalf of the organization?

The answer is by using the policy capabilities of a password manager such as Bitwarden – the leading open-source password manager for businesses. Bitwarden´s policy engine enables administrators to apply parameters to its password generator tool, so that only passwords that match or exceed the parameters are created and saved in users´ vaults. The policy engine also be used to enforce Two-Step Logins, for restricting user access to shared passwords, and for using SSO login.

Once the policies have been applied, administrators can then run “Vault Health Reports” on corporate passwords to identify any that do not comply with enterprise password polices. It is also a good idea to encourage users to run the same reports on personal login credentials to mitigate the risk of remote command and control attacks on a user´s device which enables the attacker to move laterally through the corporate network in order to access supposedly protected information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.