With more of our private communication, financial transactions, and health care information being stored online, the accessibility of this information to users comes with serious security risks. A strong password policy is the front line of defense to confidential user information.
Administrators today play a more critical role than ever in educating and ensuring that users are aware of the security risks they face, and that they need to use strong passwords as a first line of defense from scammers and hackers.
Technology should facilitate, not complicate passwords
Technologies like one-time passwords, client certificates, smart cards, and biometrics can add layers to account security. Two-factor authentication combines multiple layers of security, thereby enhancing the overall security of the system. The more critical the system, the greater number of layers of authentication it should include.
However, the traditional password still remains the primary method of user authentication. And despite the number of layers included in the system, they all generally rely on a username and password combination. When creating a password policy, administrators should focus on these three key elements:
1. Understand what a strong password policy is
A password policy is a set of rules created to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. Normally, a password policy is a part of the official regulations of an organization and might be employed as a section of the security awareness training.
Although most users understand the nature of security risks related to simple passwords, there’s still frustration when users are required to spend time attempting to create a password that meets an unfamiliar criteria or attempting to remember a previously created strong password.
2. Enforce using strong passwords
Passwords are a first line of protection against any unauthorized access into your personal computer. The stronger the password, the higher level of protection your computer has from malicious software and hackers.
A strong password isn’t just about one password, it’s important that you guarantee strong passwords for each account that you access through your computer. When you are utilizing a corporate network, the network administrator may encourage you to use a strong password.
To be able to create a strong password, you should be aware of the criteria to make one. These criteria basically include the following:
- A strong password must be at least 8 characters long.
- It should not contain any of your personal information — specifically, your real name, username or your company name.
- It must be very unique from your previously used passwords.
- It should not contain any word spelled completely.
- A strong password should contain different types of characters, including uppercase letters, lowercase letters, numbers and characters.
3. Educate users to manage their strong passwords
Having a password like “eC<My!chO,quaj^of)naD}uM}rIew>Ap[Ek}E*quaC.eib(Tyb” is very secure. It contains most every element of a strong password. But how many users will remember a password like this? Chances are a strong password like this is written down on a piece of paper taped to the user’s monitor, underneath their keyboard or sitting in top their desk drawer. It might be even hidden among the random items on the user’s desk.
Users can instead relate their passwords to things they can easily remember, like a favorite sport or hobby. For instance, “I enjoy playing basketball” can be “IEnjoiPlay!ngB@$k3tb@ll11.” This is secure and could also be easily remembered by users.
Password management software like LastPass and Apple Keychain takes the hassle out of managing strong passwords. For less than the price of a soda, you can easily create and manage strong passwords . But the combinations are numerous and by just remembering one main strong password, you can rely on a password manager to take care of the rest.
4. Creating strong password policy best practices
A password may follow the traditional guidelines yet still be weak. Users who can’t remember their strong passwords and end up writing them down or constantly having to reset their passwords undermine the benefits of a strong password policy.
Passwords are one piece of the security puzzle in the enterprise. Keeping user accounts secure takes a combination of a thorough process for strong password creation and an easy-to-use system for users to follow to keep those passwords safe.
I keep looking for password best practices, and they are all about the same. What I am not seeing is how the whole BYOD and wide open remote access should effect password policies. For instance, if users are given the ability to access the corporate network from any device (personal home computers, kiosks, hotel business centers, etc.) should the period between password changes be shortened?
OK, here are my 5 cents about pushing ‘strong password’ policy.
The strong password policy requires you choose a password that is very hard to guess. Obviously, you don’t want to use the same password you use for your online banking so, you come to something like ‘@4$d#KK_s23&&33s’. You enter this ‘hard-to-guess’ password and your browser or service client ‘remembers’ it. Now you are good to go for any subsequent logins… In a week or two, you want to login to your account from another device but unfortunately you can’t remember your password (strangely why :P). What happens next is you start entering all your hard-to-guess passwords trying to make it work, and thus you give up all your precious passwords to that service (of course not before passing through some ‘security’ filters) which store all your ‘wrong’ passwords ‘just in case’ for your own ‘protection’.
Further…
The proud customer-carrying provider A states ‘Trust us your personal data, we shall never betray you and your private data (as far as you are loyal to us)…’. The proud customer-carrying provider B states ‘Trust us your personal data…’… The proud customer-carrying provider C states ‘Trust us your personal data…’.
… The problem is most of these providers are competitors. Competitors are not loyal to each other, they are enemies. Your know ‘… the friends of my enemies are my enemies.’… The result is you ‘the loyal customer’ have become an enemy to all providers, you and your private data are now subject to any options and actions…
Please pardon my language. English is not my mother tongue.