Reducing password frustration guideline
Purpose
Password frustration refers to the dissatisfaction and challenges experienced by users when managing multiple usernames and passwords. This is particularly the case when users are required to create complex passwords, remember numerous credentials, or change them frequently. This frustration often leads to insecure behaviours such as reusing passwords, creating weak passwords, or storing them improperly.
This guideline aims to address these issues by reducing password frustration while enhancing overall security and usability. It provides practical recommendations based on modern authentication standards, including the latest guidance from the National Institute of Standards and Technology (NIST) on Digital Identity and other industry references.
Advice
Adopt passwordless authentication methods
Passwordless authentication, such as security keys, Windows Hello for Business, and certificates, eliminates dependency on a long password for security, and instead uses either a biometric or shorter password in conjunction with a cryptographic device/software.
The transition to passwordless authentication presents advantages for organisations, particularly in terms of bolstering security and enhancing user acceptance. One advantage of passwordless authentication is its inherent resistance to phishing attacks. Traditional password-based systems are often vulnerable to such attacks, with users inadvertently divulging their credentials. However, in a passwordless framework, this risk is substantially mitigated as there are no passwords to be compromised.
Passwordless authentication tends to be more favourably received by users. The elimination of the need to remember and manage an array of complex passwords not only simplifies the user experience but also reduces the resources expended on password recovery and resets.
Implement single sign on
Leverage single sign on capabilities, such as SAML or OpenID Connect, to reduce the number of credentials that a user needs to maintain. This has additional advantages of:
- allowing entities to specify the credential types that users can use.
- being able to disable access to cloud applications centrally when a user no longer has a business requirement to access them.
Note: For this to be effective, implementers should consider if applications have other entry mechanisms such as long-lived sessions in mobile applications.
Requiring users to have multiple passwords also runs the risk that users will reuse the same password across multiple services, increasing the risk to all services if a single service has been compromised.
Limit re-authentication requirements
Over-authentication can lead to users becoming less attentive to the authentication process. This lack of attention can increase their vulnerability to phishing, where they may inadvertently provide their authentication details to a malicious site.
Modern methods, such as “risk based access control” can assist in reducing reauthentication requirements by analysing user behaviour, location, device security posture, and other contextual factors. Risk-based authentication systems can make intelligent decisions about when to request additional authentication. Rather than applying blanket policies that require frequent re-authentication and thus contribute to user fatigue, risk-based controls tailor the need for additional verification to situations where there is an actual indication of risk.
Consider a practical scenario. A user is accessing Office365 using Windows Hello for Business, a multi-factor authentication method, on a managed device. In this case, requiring the user to re-authenticate every day to Office365 may not add significant value. Instead, it could lead to user fatigue and a casual attitude towards the authentication process. This could potentially decrease the overall security, contrary to the intended purpose of enhancing it.
Don’t force arbitrary password expiry
Frequent resets of passwords are a significant contributor to poor password management practices, most commonly by encouraging users to write down their passwords to remember them, choosing simple passwords and trivial patterns. Almost all leading approaches to password management recommend against setting a forced password expiry.
Most password resets made by users include trivial changes such as incrementing a number at the end of the password by one or using some other simple formula or pattern to modify the existing password and are therefore easily guessed by malicious actors, who may have the previous password, within a few attempts.
Passwords should be reset immediately if:
- they are compromised, or suspected of being compromised
- they have been shared
- they are transmitted over a network without encryption.
Instead, a robust authentication policy which promotes the use of multifactor authentication where possible and requires passwords which are resistant to on-line and off-line brute force attack, should be adopted.
Promote passphrases over passwords
Traditional thinking around passwords has been that a good password requires a level of complexity, including upper- and lower-case letters, numerals and punctuation marks. However, in practice this has led to users adopting practices which ultimately lead to weaker passwords.
Common behaviours include:
- always having an exclamation mark at the end
- using a consistent password, with a number which is incremented each time the password is changed.
Current thinking, which is becoming more widely accepted is that educating users to use passphrases made from multiple unrelated words without requiring different character types is significantly better as it supports creating longer and more memorable passwords.
Educate users
To promote better password hygiene, it's important to educate users on good practices related to password management. The following points should be emphasised to all users:
- adoption of passphrases: reinforce the shift from complex passwords to the use of passphrases, consisting of a string of unrelated words, to enhance memorability and strength against attacks
- effective use of password managers: guide users towards the secure usage of password managers for creating and storing unique passwords and provide guidance on selecting an appropriate password manager that aligns with organisational standards
- multifactor authentication (MFA): emphasise the critical role of MFA in securing accounts by explaining the various MFA methods available and their respective resistance levels to phishing attempts.
Educate users not only on the 'how' of these practices but also the 'why,' as understanding the rationale behind security measures can lead to broader acceptance and compliance. Consider highlighting how these support users personal use of technology as well as in work environments, as this will increase their overall cyber resilience.
Password Policy
The following password policy is suggested as a starting point, entities should undertake a risk assessment and determine a policy based on their own requirements.
| Setting | Value |
|---|---|
| Length | Min (1FA): 14 Min (always used with MFA): 6 Max: Optional, Not less than 64 |
| Complexity | No |
| Expiry | No |
| Deny-lists for common passwords | Yes |
| Lockouts | On (5-10 attempts) |
| Password History | 12 |
Table 1: Suggested password policy
Note: Some obligations, such as Payment Card Industry Data Security Standards (PCI DSS) or to meet National Security requirements, may require stricter settings than above.
General advice
DO
- Undertake a risk assessment to determine password policy. Security needs to balance confidentiality, integrity and availability of systems. Password complexity is only one control of many.
- Make your password policies as user friendly as possible.
- Let people choose freely and encourage longer phrases instead of hard-to-remember passwords or deceptively complex passwords such as ‘qu33ns!and’.
- Explain to users as to ‘why’ when chosen passwords are rejected (e.g., when it appears on a “blacklist” of unacceptable passwords or has been used previously). Advise users that they need to select a different secret because their previous choice was commonly used.
- Implement account lockouts after unsuccessful attempts to protect against password brute forcing.
- Use tools and techniques to support user password management, such as agency approved password managers (noting Browser native password managers are discouraged by Australian Cyber Security Centre (ACSC) and single sign on.
- Use multi-factor authentication (MFA) wherever possible, particularly for high value activities, for example remote access and administrative consoles.
- Determine requirements based on risk. Increased system privilege should equate to increased minimum password length.
- If a maximum password length is required, allow a password maximum length of not less than 64 characters.
- Ensure that applications allow all printable American Standard Code for Information Interchange(ASCII) characters, including spaces, and should accept all UNICODE characters, too, including emoji.
- Check new passwords against dictionaries of known-bad passwords, including common permutations of known-bad passwords
- Separate ‘day to day’ user accounts from accounts with elevated privilege, such as administrative accounts.
- As an agency, establish operational procedures to detect and respond to compromises or suspected password misuse.
DON’T
- Reuse passwords across multiple systems
- Reuse similar passwords over time
- Expire passwords without reason
- If you want users to choose long, unique and hard to guess passwords, that they don’t write down, don’t make them change them unless they’ve forgotten them, or you suspect the password has been compromised.
- Have design rules for passwords that are imposed on users.
- No more arbitrary password complexity requirements needing mixtures of upper-case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in poorer passwords.
- Allow applications to store passwords in clear text
- Passwords stored in databases or similar should be ‘salted’, hashed (with SHA-2, or SHA-3), and “stretched” with PBKDF2 (with at least 10,000 iterations), or BCrpyt (minimum cost 14)
- Allow password hints
- Allow Knowledge-based authentication (KBA)
- KBA is when a site says, “Pick from a list of questions – What’s your first pet’s name? What’s your favourite Netball team? – and tell us the answer in case we ever need to check that it’s correct.
Multifactor authentication is a combination of two or more authentication techniques:
- something you know (e.g. password)
- something you are (e.g. Biometric)
- something you have (e.g. an Authenticator device/app).
There are two implementation models:
- authenticating with two (or more) discrete authentication methods (e.g. password and authenticator app)
- biometric methods should not be used in this model as it would require a centralised repository of biometric identifiers and be prone to replay issues
- authenticating using an authenticator device/app which is unlocked by a PIN/biometric
- this approach supports moves towards passwordless authentication.
Note: MFA is not a panacea, modern phishing techniques have adapted to counteract many MFA methods, using methods such as MFA fatigue attacks (bombarding users with MFA prompts until they accept) and adversary in the middle/proxy based phishing attacks. Passwordless implementations based on FIDO2 or Certificate Based Authentication are more resistant to these types of methods as they bind the application requesting authentication in the authentication response.
| QGAF credential level * | Phishing resistance | Supports passwordless | Users mobile device | Requires mobile app | Requires physical device | Requires managed device | Can migrate to other devices | Comments | |
|---|---|---|---|---|---|---|---|---|---|
| FIDO2 – security keys | 3 | Phishing resistant | Yes | Yes | |||||
| FIDO2 – passkeys | 3 | Phishing resistant | Yes | Yes | Yes | Yes | Not bound to specific devices by consumer implementations | ||
| Certificate based Authentication | 3 | Phishing resistant | Yes | Yes | |||||
| Windows Hello for Business | 3 | Phishing resistant | Yes | Yes | |||||
| Authenticator ppp – challenge & response | 2 | Good | Yes | Yes | Yes | ||||
| Authenticator app – application code | 2 | Standard | Yes | Yes | Users can choose between a number of apps | ||||
| Hardware authentication device (OATH OTP) | 2 | Standard | Yes | Yes | |||||
| Phone based - SMS | 2 | Standard | Susceptible to SIM Hijack | ||||||
| Authenticator app – notification | 2 | Weak | Yes | Yes | |||||
| Phone based - phone call | 2 | Weak | Yes | Susceptible to SIM Hijack |
Table 2: MFA options and strengths
* When used in line with QGAF guidance
The ratings above are based on the following scale;
| Phishing Resistance | |
|---|---|
| Phishing resistant | Authentication protocol binds the authentication token to the site requesting the authentication. (WebAuthN/Certificate Based Authentication) |
| Good | Requires 3-way interaction between server, authenticator and application |
| Standard | MFA susceptible to adversary-in-the-middle/proxy based phishing attacks |
| Weak | Susceptible to MFA fatigue attacks (bombarding users with MFA prompts until they accept one) |
Table 3: Phishing resistance levels
| Microsoft1 | ACSC ISM for PROTECTED and below2 | UK NCSC3 | US NIST44 | |
|---|---|---|---|---|
| MFA | Yes (for risky logins) | Yes (for all logins) | Yes | Yes |
| Length | 8 | 14 without MFA (Control 0421) 6 with MFA (Control 1559) | Not stated | 8 without MFA Allow at least 64 6 with MFA |
| Complexity | No | No; with MFA (Control 1559) No; without MFA (Control 0421) | No | No |
| Expiry | No | 12 months (Control 1590) | No | No |
| Deny-lists for common passwords | Yes | Yes | Yes | |
| Lockouts | Not stated | 5 attempts (Control 1403) | 5-10 | On |