Passwords. The bane of most users, but should you be creating a password policy for your company or leaving password creation and management entirely to the user?
Having a sound password policy is one of the most fundamental IT security practices that you can implement. Ensuring that your passwords are sufficiently robust and changed with an appropriate frequency goes a long way to safeguarding against unauthorised access to your systems, both internally and externally.
Password policies come in many forms and can contain many different rules to ensure that the password meets a standard set out by the company, but is this always the best way?
What is a Password Policy?
A password policy is a set of rules that a password must meet to be accepted as “secure” by the enforcing company. It can include items like complexity, length, and how often it needs to be changed and the rules and penalties governing its care and use (or misuse). This will usually be supported by the networking systems which will ensure that passwords include special characters, have a minimum length and also that they can't be re-used after a set amount of time.
Why have a password policy?
It might seem obvious, but the aim of a password policy is to make sure that passwords are of a sufficient uniqueness and complexity to prevent them from being guessed, worked out or “brute forced” by hackers in an attempt to gain access to your systems. Hackers have at their disposal a very wide range of techniques and tools to gain access to users’ usernames and passwords in order to breach your systems and either gain access to your data or wreak havoc on your systems.
Some of the greatest security breaches have been as a result of some of the simplest failures in IT security thinking in an organisation. Users need to be educated, and re-educated on a regular basis, about their obligations and responsibilities when it comes to safeguarding corporate data. The most fundamental aspect of this is to keep their password secure.
We all often encounter users who have written down their password on a post-it note and fixed it to their monitor because, as their organisation followed a sensible password policy and generated passwords which were not easily guessed or cracked, the user has decided that it was too much trouble to try and remember it and instead wrote it down for all to see.
Also, many users due to their trusting nature can succumb to a tactic called Social Engineering. This is where hackers call and simply ask for their or other people's credentials or other sensitive information which may help them hack your systems, and because the person either wasn't thinking or was convinced by the requester's (often well researched) cover story have simply handed over sometimes very sensitive credentials. Changing these at regular intervals help minimise the impact of a breach, and limits the window of access to sensitive systems.
Advantages of having a Password Policy
A password policy, particularly when enforced by a correctly configured network, has the benefit that all users’ passwords are of the same high standard, allowing you to control how long and complex they are to minimise the risk of them being found out either by working them out or by using automated tools.
A well-designed password policy will allow users to meet security requirements without feeling under pressure to change their passwords every 30 days. A password policy that encourages more secure passwords also means they are likely to make one stronger “good” password if they know they won’t have to change it as often.
Disadvantages of having a Password Policy
Passwords are, for many, still the only security measure employed when logging in and firms try to make this as secure as possible by ensuring passwords are at least 16 characters, include numbers, upper and lower case and special characters and these have to be changed every 30 days.
A problem with this is that users can struggle to remember their passwords, and often end up just incrementing the number or following some other simple, guessable, pattern e.g. from “Password!1” to “Password!2” - and hackers know this. Another major issue with regular password changes is that users tend to write down their passwords (often in places accessible to their PC) which is obviously a major security risk.
Choose a strong password but DON'T WRITE IT DOWN!
A password policy is normally set to a standard that the company has deemed it feels is safe and secure, which addresses the level of risk it feels comfortable with, and is enforceable by the network login servers. However with the computing power available to hackers increasing all the time passwords that have historically been deemed strong become easier and easier to crack.
This leads to another issue: when users have to remember multiple “difficult” passwords they are more likely to reuse the passwords on multiple websites and for multiple purposes – something that is strongly discouraged. If one set of credentials is breached... they all are. A popular hacking tactic is called “Credential Stuffing” whereby leaked credentials from one site are tried against multiple other sites in the hope that users have used the same username/password combination for all of their online activity – this technique works alarmingly well.
Ideas for creating passwords
Passwords are mathematically more secure the longer they are but a password of 15 ‘1’s will be easier to guess than something like “JsdWst3”9st9^5!” however it's obvious which is easier to remember. A useful suggestion is to write words backwards in passwords, for example instead of Password!1 have drowssaP!1, this keeps the password easy to remember as you only have to remember the word/words in the password but they add another level of complexity.
Another suggestion would be to remember a sentence, for example, “I once went to see the butcher at the end of my road, house number 33”. Your password would now be, “Iowtostbateomr, hn33”. This is a longer password that has included upper, lower, characters and numbers and whilst being a longer password it can be remembered fairly easily. It also is highly unlikely to appear in any hacker’s password dictionaries.
Other thoughts on passwords include choosing four memorable, unrelated, words (at least five characters in length) and separating the words with punctuation marks or symbols, e.g. “horse?battery8staple-right@”.
The tougher a password is the better, but if it has a mnemonic or logical way of remembering it, then the user will have to change it less often – and is less likely to write it down.
There are a number of online tools available for generating and checking secure passwords, and a number of software applications available to generate, store and manage a wide variety of credentials. This could represent a very sensible investment, particularly if you are responsible for access to a number of sensitive systems. Some of these, such as KeePass, are available for free.
Other authentication methods
Username/password combinations are the traditional method for securing access to company systems, however many organisations these days use additional safeguards when protecting their systems.
This is where an additional method is employed to secure the login process beyond the basic username and password combination. This may be a specialised hardware device that provides an additional password, called a token, via its screen to be entered. This token changes every few minutes but the login server is kept in sync, so that it always knows what the new password will be.
Other methods include apps configured on your smartphone which know when you are trying to log in, and which prompt you for further authorisation to ensure you are who you say you are. Stealing your username and password won’t be enough – they will also need to steal your smartphone, and know how to access it. There are many more – contact us if you would like to learn more about how we can help you copper fasten your users’ access to your systems.
Configuring your network to slow down attacks
Your systems can be further configured to delay attempts between password failures such that a forced delay of 10 to 20 seconds between failed log in attempts slows the attack down such that it becomes practically impossible to attempt logging in this manner. This can be neatly rounded off by configuring your systems to temporarily lock users out of their account for a short amount of time, or to even require an administrator to allow them back in, following a set number of failed login attempts. With these simple measures you will significantly decrease the chances of an attacker compromising your system by simply trying to guess your users’ password.
There are many more strategies to secure your infrastructure and systems – contact us if you would like to learn more about how we can help you copper-fasten access to your systems.
Biometrics, using characteristics physically particular to an individual such as their fingerprint, retinal blood vessel patterns and other biologically unique traits, is an intuitively attractive method for securing access to your systems. Mobile phones currently have fingerprint scanners as standard and many secure facilities have biometric measures in place in addition to smart card and other access measures. It's also the subject of a lot of fiction in Hollywood blockbusters and has mislead a lot of people as to its current state of readiness for the workplace.
Even though the technology is available to implement biometric access, it is expensive and adoption in the workplace is low. Widespread use by SMEs is still a long way off as the investment required is prohibitive, and many of the mainstream vendors haven't yet included support in their products for storing and using biometric credentials. .
A strictly enforced password policy is not always the best way forward. A password policy combined with some tips on generating passwords and also two-factor authentication will help keep your network more secure whilst not troubling users with having to recreate a password every 30 days.
A password policy should also be included as part of a strong IT security or general IT usage policy which sets other stringent security rules, for example, not allowing shoulder surfing where another user would stand behind the user entering their password or prohibiting the use of browsers to store sensitive passwords. Checking the web should provide many examples of good Password Policy Templates from which to create your own.
More information on password security can be found here: