top of page

Best Practices: A New Approach to Password Security

The first recorded use of a digital password can be traced back to the Compatible Time-Sharing System (CTSS) developed at the Massachusetts Institute of Technology (MIT) in the mid-1960s; it was an early operating system for IBM's 7094 mainframe computer, allowing multiple users to access the computer simultaneously through remote terminals. CTSS introduced the concept of a "password" to secure user accounts and prevent unauthorized access to the system. Users were required to enter a password to log into their accounts and access the computer's resources. This marked one of the earliest instances of using passwords in a digital context. Today, we are surrounded by passwords that we use daily for pretty much everything, and a recent study found that on average, a person has about 100 passwords.


Traditional approaches to passwords in an enterprise environment involved implementing a set of password policies and practices to ensure security and access control for employees and users. While these practices may vary from one organization to another, they generally encompass elements like complexity and minimum length requirements, expiry and rotation, account lockouts, as well as history and reuse Restrictions.

However, while this approach is meant to enhance security, it also comes with limitations and challenges. Traditional password policies often require users to create complex passwords that include a mix of uppercase letters, lowercase letters, numbers, and special characters, usually associated to mandatory regular password changes(e.g., every 90 days), aims to reduce the risk of password compromise. However, it can lead to users choosing weaker passwords or making minor modifications to their existing passwords, which might be easier for attackers to guess. Plus, users tend to reuse passwords across multiple accounts and systems so if one password becomes compromised, it can lead to security breaches in many other systems.

The use of strict aggressive account lockout settings (e.g., after a small number of failed login attempts) can lead to users being locked out of their accounts due to simple mistakes or typographical errors, which in turn, translated into an increase of help desk calls and support overhead, adding to the global administrative burden.

Additionally, traditional password-based authentication is susceptible to various attacks, including brute force attacks, dictionary attacks, and phishing and attackers can use automated tools to systematically guess passwords or trick users into revealing their credentials.

Password recovery is also a concern, as traditional password-based systems often rely on password recovery mechanisms, like email, SMS or phone verification, that can themselves be vulnerable to attacks or social engineering, including phishing, SIM swapping, stolen devices, compromised accounts, weak security questions and trust in fraudulent messages.

As technology and security threats evolve, organizations are increasingly exploring alternative authentication methods and approaches, to strike a balance between security and user convenience.

New NIST Approach

The National Institute of Standards and Technology (NIST), a U.S. government agency that develops standards and guidelines to promote technology, cybersecurity, and innovation across various industries, provides guidelines for digital identity authentication in its Special Publication 800-63-3, one of the key areas covering password requirements.

While these guidelines might have been updated since then, they still provide directions and Best Practices as to how password security approach should be reviewed and adapted to the current time.

NIST SP 800-63-3 offers a user-centric approach to password security, suggesting a minimum password length of 8 characters and discouraging arbitrary complexity rules, but instead, use all ASCII characters, including spaces, as well as emphasize screening against commonly used passwords and dictionary words. Importantly, frequent password changes should be avoided, as this practice can lead to weaker passwords. Use of longer, easy-to-remember passphrases, enabling users to create strong but memorable credentials, should be promoted.

Also, user education is vital, encouraging individuals to understand the importance of password security to mitigate account lockouts, advising implementing delayed responses to failed login attempts and CAPTCHAs. In terms of storage, secure hashing and salting techniques are recommended to protect stored passwords from breaches. Overall, it aims to balance security and usability, moving away from strict complexity rules while addressing challenges like password reuse, social engineering, and brute-force attacks in modern authentication landscapes.

Extra Layer of Security

Password can be used in combination with other authentication method like Multi-Factor Authentication (MFA), a security method that requires users to provide two or more different authentication factors before granting access to a system. This typically includes something the user knows (password), something the user has (security token), or something the user is (biometric data).

Department of Defense Instruction 8520.03 (DODI 8520.03), released in May 2023 delineates authentication requirements for all DOD entities. Despite scenarios where single-factor authentication such as username and password are allowed, the directive states a preference for MFA even when single factor authentication is permitted.

Common authentication factors typically include tokens sent received via SMS or phone call, Push notifications sent to a trust mobile device via an Authenticator app, and One-Time Password (OTP) tokens, either software or hardware generated. DOD1 8520.03 defines three authentication factors as something the entity knows, something the entity has and something the entity is.

But Multi-Factor Authentication (MFA) also has its drawbacks, that include user complexity during setup and use, dependency on devices that can be lost or compromised, potential cost for implementation and maintenance, a potentially slower user experience, susceptibility to phishing attacks tricking users, and a single point of failure if one factor is compromised.

Risk-Based Authentication (RBA) is another security approach that assesses various factors, such as user behavior, device information, and contextual data, to determine the level of authentication required and, by analyzing risk factors, adapt the authentication process, allowing seamless access for low-risk scenarios and applying more stringent measures for high-risk situations, enhancing security while maintaining user convenience. DODI 8510.01 for example establishes a procedure that DOD entities must follow in categorizing information and its associated level or risk. DODI 8520.03 takes this one step further in establishing minimum authentication requirements based on Low, Moderate or High risk information. It is a valuable complement to Single Sign-On (SSO) services and Zero-Trust Architecture (ZTA), a cybersecurity strategy that requires strict and continuous authentication of both people and devices when trying to access resources on a private network, either locally (on-premises) or in the cloud.

Beyond Passwords…

Passwordless authentication mechanisms have gained popularity as alternatives to traditional password-based authentication due to their enhanced security and user convenience, offering stronger security, reduced password-related risks (like phishing), enhanced user experience, and streamlined access through biometrics, tokens, or device-based methods. According to Microsoft, “No passwords, are good passwords”.

Biometric Authentication

Biometric authentication is a secure method of verifying an individual's identity using unique physiological or behavioral characteristics, such as fingerprints or facial features. These distinct traits are captured and compared against stored templates to grant or deny access, providing a highly personalized and convenient form of user authentication in various applications, from smartphones to secure facilities.

Biometric authentication on Apple devices.

Multi-Factor Authentication (MFA) without Password

Multi-Factor Authentication (MFA) without passwords is a security method that combines multiple independent verification factors, such as biometrics, tokens, or push notifications, to confirm a user's identity. By eliminating sole reliance on passwords, MFA enhances security, reduces vulnerability to attacks, and provides a more robust and user-friendly authentication process across various systems and applications.

Passwordless sign-in with Microsoft Authenticator.

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework that manages digital certificates and cryptographic keys. It enables secure communication, authentication, and data integrity in digital environments using a hierarchy of Certificate Authorities (CAs) to issue and manage certificates, which contain public keys and identity information. Digital certificates can be stored on various types of devices and platforms, both physical and virtual, including smart cards, USB tokens, software tokens, Hardware Security Modules (HSMs), mobile devices, key vaults, and Operating System (OS) key stores.

Mobile Device-Based Authentication

Mobile Device-Based Authentication employs smartphones or tablets to verify user identity. This approach often utilizes biometric data like fingerprints or facial recognition, mobile apps for authentication approval, or push notifications to enhance security and streamline access processes, providing a user-friendly and secure method for confirming identity and granting access to various services and systems.

External Security Keys

External security keys, also known as hardware security keys or security tokens, are physical devices used for authentication and secure access control. These keys are typically small, portable devices that connect to a computer or mobile device via USB, Near Field Communication (NFC), or Bluetooth. They store cryptographic keys and generate one-time passwords, helping to strengthen authentication processes and protect against various cyber threats, such as phishing and credential theft. External security keys provide an extra layer of security beyond traditional passwords and are often used in Multi-factor Authentication (MFA) setups.

Examples of external security keys.


FIDO2 passkeys are a type of authentication method based on the Fast Identity Online 2 (FIDO2) standard. They involve using cryptographic keys, typically stored on a hardware device like a security key or a smartphone, for secure authentication. FIDO2 passkeys can be used as an alternative to traditional passwords, providing stronger security by eliminating the need to share or store passwords on servers. They enhance user experience and reduce the risk of phishing and credential theft.

It's important to note that different organizations might choose to implement a combination of these methods to suit their security requirements and user preferences. Additionally, while passwordless authentication methods offer benefits, it's crucial to carefully assess the security and usability implications before implementing any specific solution.

Passkey used for authentication, instead of a traditional password.

ISEC7 is at the forefront of cybersecurity and has long worked with organizations to ensure their ecosystems are protected and their security posture is as strong as possible. If you have any questions about updating your password strategies, deploying a Zero Trust Architecture (ZTA) or improving your organization’s security posture in general, the team at ISEC7 can complete a security assessment and help you navigate the options available to you, as well as help you leverage your existing solutions to their fullest capability. Based on our experiences across organizations large and small with unique security demands and stringent requirements, we can confidently match you and your organization with the right solution.


bottom of page