Does your password policy work?

Security_Dec09_AAs a business owner you probably have more than one issue on your mind at any given time. One challenge many owners and managers worry about is the security of their organization and the systems used. One of the weakest links, security wise, is the password, as these can be quite easy to crack. This is why many companies introduce password policies. However, quite often these policies are not effective.

If you are in the process of implementing a password policy, or are looking for a way to ensure that your business is as secure as possible, you need to be aware of at least four common password policy pitfalls.

1. Complex password requirements aren’t complex at all

One of the most common elements of a password policy is the requirement that passwords be complex. Many require that the password has at least one number, or a special character like ‘!’ or ‘&’, and possibly even a capital letter.

While this may seem like it serves to make passwords more complex, many users will often use a simple password and replace words with a character, or add it at the end. This really doesn’t make the passwords complex, it just makes them more difficult to guess.

Because so many systems have these requirements in place, hackers have started to include these factors when they develop password crackers. This means that the are still able to guess many passwords relatively quickly.

2. Lack of a lock-out

A common way hackers get into systems is through a method called brute force. This is essentially entering different passwords and variations until you come across the correct password. While this method can take a while, if your password system doesn’t have a lock-out rule – whereby the account becomes locked after a set number of failed attempts – you will eventually see a security breach.

3. Password changes are forced too often

In order to keep systems secure, many companies force their users to change their passwords on a regular basis – usually every 90 days. While this is a good idea, some take it a bit too far, for example forcing employees to change passwords every two weeks.

This may seem like a good idea, but all it does is encourage users to pick easy to remember passwords. And, any password that is easy to remember is likely easy to guess too.

4. Only focusing on digital passwords

Because the number of password protected systems we use is increasing, many business users are struggling to remember all of the passwords they use. When this happens, the easiest solution is write to them down.

When making a note of passwords, most people don’t take any steps to hide them, often leaving a sticky note attached to their monitor or written in a notebook casually left open on their desk. Needless to say, this is a real security issue.

How should I ensure a strong password policy?

Here are four actions you can take to ensure not only stronger passwords, but a policy that is effective.

  1. Try using passwords that are sayings and have spaces. Believe it or not, a random saying like “rude horses get pizza” is actually way more secure than any one word password with characters. Take a look at this XKCD comic for an interesting graphic on passwords.
  2. In order to minimize passwords and systems falling to brute force attacks, you should set a lock-out rule. It should be fair in that you shouldn’t lock users out of their accounts if they fail one attempt. Most companies using this method set a limit of 3-5 attempts.
  3. You should ensure that your passwords are changed on a regular basis – most companies set every 90 days, and this is fine. In order to maximize security, it is a good idea to set it so that the same password and numbers can’t be used, because most employees will just enter another number or character at the end or beginning. In other words, ensure the password is as different as possible.
  4. The most obvious point is to remind your employees not to write their passwords down and leave them in an easy to find area. If they have to write passwords down, tell them to use a code or even hide the piece of paper/lock it away in a secure safe. The other step you could implement is two-factor authentication, such as a user needing to enter a numerical code or piece of information when trying to access a system. Implementing a system like this and recording it in the policy will greatly reduce the chances of your passwords being stolen.

If you are looking for help with your password policy, or with the security of your business and systems, please contact us today.

Published with permission from TechAdvisory.org.

Related Posts