Even with the very latest and greatest antivirus software and the most powerful hardware firewall, your company’s passwords could be leaving you open to hackers and phishers. Today’s sophisticated cybercriminals can exploit weak passwords in a matter of minutes.
However, you can’t expect your employees to remember incredibly long strings of gibberish characters, either. The key to developing good password guidelines for your company is balancing your security needs with the usability concerns of your password protocol.
Here are five rules for developing password guidelines for your company.
1. If it’s in the dictionary, it’s out as a password. Hackers can easily write programs that will try tens of thousands of English words as possible passwords. These are known as “dictionary attacks,” and they have been around almost as long as the Internet. Substituting special characters — @ for a, or the numeral 0 for the letter o are not effective either; dictionary attack programs routinely take these techniques into account as well.
The same also applies to names and dates. Dates (day-month-year combinations), and spouse’s or children’s names are almost as easy to crack as dictionary words.
2. Do not require umpteen-character passwords. Most people can remember between five and nine elements of a single type, so expecting them to recall a password of 10 or more characters is ludicrous. When confronted with requirements like this, many users will resort to writing down their passwords, which poses a much greater security threat than a weak password.
3. Passwords must be absolutely confidential. Users should never have to divulge their passwords to anyone, including IT personnel and system administrators. Studies show that revealing passwords to anyone, including qualified tech people, dramatically reduces users’ confidence in the password scheme, making them more likely to reveal them to unqualified people.
4. Encourage users to employ passphrases instead of passwords. Passphrases generally take the form of abbreviations; for example, TQBFJOTLD would be a simple passphrase representing The quick brown fox jumps over the lazy dog. As written, the phrase is resistant to dictionary attacks, but not especially secure. You can dramatically increase its security by mixing upper and lowercase letters and including numerals and select special characters.
5. Requiring users to change passwords periodically does not do much good. Remembering a password is hard enough, but asking people to generate a new one each month or so is nearly impossible. When faced with requirements like this, most users just settle for a sequence: password01, password02, and so on. Hackers, of course, realize this, and will try many of these variations. Hence, these schemes do not really increase security. Better to have users settle on one good, strong passphrase, and encourage them to change it once a year. Of course, if you suspect the password has been guessed, hacked, or stolen, it should be changed right away.
In the end, it comes down to common sense. Subjecting your employees to long and arduous password requirements is tantamount to asking them to subvert your protocol. The more reasonable and user-friendly your password schemes are, the more likely users will be to respect their intent and abide by them.