Strong Password Policy is mandatory for Organisation

Debasish Pramanik | May 28th, 2016 | Articles

In recent news on 18th May 2016, LinkedIn lost 167 million account credentials in data breach. After that LinkedIn’s CEO has published Blog by saying,

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible


Though LinkedIn is taking a measure to overcome the breach but the damage has been done and  there will be many users who have been compromised due to this breach. A recent  survey done by an IT firm in 2015 says that  67% of organizations have a password policy or standard. This clearly indicates that the organisations have started taking password management as one of the key area of security. The password is the important aspect of enterprise security and enforcing stringent policy rules for password should be the standard of every organisation in the world.

Password no longer attributes to a MD5/SHA1/SHA256 value stored in a database but it’s more than that. It is very important for an organisation to understand the various aspects of the password. The following are the aspects that need to be considered seriously:

  1. Length
  2. Complexity
  3. Expiration
  4. Strength


Length of the password is one of the important attribute. From a brute force approach the longer the length of the password the more time it will take to determine it. It is very important from organisation perspective to enforce minimum length of the password. This will ensure all employees within the organisation are forced to set password which is larger in length. As per the NIST Guide to Enterprise Password Management if we increase the length of the password from 4 to 12, given a character set of 26 characters the number of permutation and combination increased to 200 billion times.  

According to NIST draft paper,  Keyspace is the total number of possible values that a key, such as a password, can have. For example, a four-digit PIN could have any of 10 different values (0 through 9) for each of its four characters: the keyspace would be 104 , or 10,000 (i.e., 0000 – 9999).  The following table provides an insight keyspaces for various length of password

Ref: NIST Draft Guideline for Enterprise Password Management

In case of Sony data breach case in 2011, the analysis of hacked user’s password found that more than 50% users have password length less than 8 characters (


The complexity of password is defined by different type of characters used in the password. The types of the characters could be

  1. Upper case
  2. Lower case
  3. Special Characters
  4. Numbers

The special character consists of


The administrator as part of the organisation policy can enforce the password to consists of characters as described above. The administrator can mandate

  1. Password should have at least 1 upper case alphabet.
  2. Password should have at least 1 number
  3. Password should have one of the special characters

Apart from the above rules the administrator can add the additional rule to increase the complexity

  1. User’s firstname/lastname should not be part of the password
  2. Organisation name should not be part of the password
  3. Blacklist common words or words that can be guessed easily
  4. Cannot set the previous N password as the new password

Such type of complex rules does make setting of password a tough task for an end user but also reduces the risk of cracking password by hackers.

Talking about the Sony breach example only 4% users have 3 different type of characters in their password.


One of the common best practices that the IT security team in an organisation as part of best practices of password is having password expiration interval. It is one of the practice followed by most of the organisations. Mostly 30/45 days are chosen as age of a password and users are forced to change password at the end of 30/45 days.

The basis of such rule is to ensure if a hacker has got the password of a user through some means by the time the hacker uses the password the user will change the password. This is based on the assumptions that hacker typically doesn’t uses the stolen password immediately to hack into the user’s account. This assumption is based on series of such hacks happened in history.

Considering the latest technologies available in today’s world, the assumption may not hold true as hackers try to use the password immediately to cause the damage and may not wait for days like before. But nevertheless it is good to have the expiration policy to ensure the user doesn’t keep the same password forever.


A password strength is a score given to a user’s password based on various parameters about how the password is formed. In other words how much difficult for an attacker to guess/retrieve password through brute force approach. According to wikipedia the following parameters can be taken as parameter to calculate password strength

  1. Complexity of Password
  2. Length of Password
  3. Unpredictability


Some of the finding of the analysis of 37,608 users password of Sony breach on the basis of length, character types, randomness and uniqueness are as follows

  1. 93% of accounts being between 6 and 10 characters long which is pretty predictable and 50% of these are less than eight characters.
  2. 4% of passwords had three or more character types.
  3. Half of the passwords had only one character type and nine out of ten of those where all lowercase.
  4. Less than 1% of passwords contained a non-alphanumeric character.
  5. One third of passwords conform to a relatively predictable pattern.