Strong password policies have come a long way. When I created my very first online account many, many years ago, my password was the word “cool” (don’t judge me, ok? I was very young at the time).
That password has long since been changed, to something much more secure, but passwords still remain part of every day life as more and more of the services we rely upon are managed online through web sites or mobile applications.
Users today are inundated with passwords they must remember. Think about it. Website logins, email accounts, social media accounts, banking accounts, smartphone pass codes, ATM pin numbers, and home security system alarm codes all require some type of password.
Creating a strong password policy is key to helping users safeguard these critical systems they rely on every day. While additional complexity can seem like an inconvenience to many users, it shouldn’t prevent a strong password policy from implemented in your organization.
Consider these 3 quick facts supporting a strong password policy requirement:
Fact: 73% of users have the same password for multiple sites, 33% use the same password every time.
When it comes to security breaches, we’ve seen an escalation of security breaches. Even major brands have had systems compromised exposing user passwords. While administrators quickly respond and notify users by forcing password changes, their efforts are limited to their own site.
Changing a password with one site is not always enough. Chances are that compromised passwords are used elsewhere, leaving users vulnerable to hackers.
Fact: Every extra character in your password increases the difficulty for hackers to crack it.
The most commonly used password is…123456.
And it’s closely followed by just as insecure passwords like “password”, “welcome”, and “12345″.
Think one extra letter or number doesn’t mean much? Consider this:
- A 6-character password with only letters has 308,915,776 possible combinations.
- An 8-character password with only letters has 208,827,064,576 possible combinations.
- An 8-character password with letters (upper & lower case) and includes numbers and symbols has 6,095,689,385,410,816 possible combinations.
- There is real strength in numbers…or in this case, extra characters required by strong password policies passwords.
Fact: Multi-factor authentication adds an extra layer of security that is difficult for hackers to crack
A strong password policy doesn’t need to be the only line of defense to your systems and network. Adding multi-factor authentication creates multiple layers of security to protect users and resources.
At DigiCert, we strongly recommend that users enable multi-factor authentication in order to secure their certificate management account. Users can include IP address restriction, client certificates, and one-time passwords as their layers of defense.
Correctly implemented, these additional access requirements act as an extra layer of security protecting accounts even when hackers have been able to obtain a user’s password.
Strong Password Construction Guidelines
Good passwords are critical to information security. Lack of thought in creating password policies increases the chances of unauthorized access or compromised data. The SANS institute recommends that strong password policy include the following characteristics:
- Contain a mix of uppercase and lowercase letters, punctuation, numbers, and symbols.
- Contain at least 15 characters.
- Be unique from other accounts owned by the user.
- Never include dictionary words
- Never include patterns of characters
- Go even further in your password policy by encouraging the use of pass phrases, which use phrases along with the strong password guidelines to add even further difficulty to passwords being compromised.
The full negative effect of a compromised account sometimes can take months or years to be felt. With the nature of information we deal with online each day, there’s no room to be relaxed about our approach to account security. Keeping users, systems, and resources secure today requires a combined efforts using strong password policies and staying on top of the latest information security best practices.