A password is often all that stands between an unauthorized third party and your organization’s most confidential information. Hackers and malware expend an inordinate amount of effort toward cracking passwords. It gives them a front door access to your systems. That’s why your password policies are so important if you want to keep your business’ sensitive data secure.
Password policies are the set of rules that govern how users create, use and manage their passwords. The following are some the most important best practices in password policy making.
Hackers will often start with a brute force attack technique to try and break a password. This is an automated process where a tool is used to try millions of character combinations in the hope that one of the combinations will be the right one. Brute force attacks rely on mathematical probability. And this is why it’s so important to have a minimum password length.
In the simplest sense, think about it this way — it’s easier to break a 2-character password than a 3-character password. As password length increases, the possible alphanumeric combinations grow exponentially. At the minimum, your passwords should be 8 characters long.
We’ve emphasized the need for passwords to be a certain length in order to compound the number of possible combinations a brute force attack would have to run through. You can make your passwords even harder to crack by ensuring they contain not just alphanumeric characters but symbols as well.
For even better results, make sure the symbols and numbers are spread throughout the password (for example, instead of ‘bniskdw79$!’, you should make it ‘bn7is$kd9w!’).
A lot of hacking incidents are preceded by identity theft and social engineering. By carrying out extensive background research about a system user including sifting through your log server where possible, the attacker may obtain vital clues that would make figuring out the user’s password much easier.
Many people have passwords that contain their own names, their partner’s, children’s or their pet’s. They also use their birth date, neighborhood, mailing address, height, school name or college name.
Some hacking tools allow attackers to provide words or character strings that have a high probability of being in the user’s password. So as opposed to the traditional brute force technique that attempts to barrel through all characters, these uniquely personal strings ensure breaking the password takes less time than it otherwise would.
We are living in the age of single sign-on. Single sign-on was seen as a convenient way for organizations to develop an enterprise-wide access control system that could be managed centrally. It eventually spread to the Internet where now many websites will encourage you to register a new account using your Facebook, Google, Yahoo, Twitter or Disqus account.
But while there are benefits to single sign-on, there are also serious risks. If someone were to know your password, they gain access to every system your account is signed into. As much as possible, have different accounts and passwords for different systems. Similarly, even if you are not using single sign-on architecture but rather having users manually signing in, discourage the use of the same password on multiple systems.
In the brute force method we’ve been talking about, the hacking tool painstakingly tests every combination of letters, numbers and symbols. Hackers could cut down the time it takes them to brute force or guess your password by going through dictionary words.
That may sound huge but in the context of computing, the time it will take a computer’s processor to check if any word (or combination of words) of the dictionary matches your password is only a fraction of the time it takes to do a character combination test.
It’s tempting to use dictionary words in your password. They are easy to remember compared to a seemingly unintelligible text string. However, they leave your passwords more vulnerable.
These 5 tips are certainly not the only ones that should form your password policy. But they can provide the foundation you need to get your password rule-making process moving in the right direction.