IT Security

Share to Facebook Share to Twitter Share to Google Plus Share to LinkedIn

Passwords. The bane of most users, but should you be creating a password policy for your company or leaving password creation and management entirely to the user?

Password policies come in many forms and can contain multiple different rules to ensure that the password meets a standard set out by the company, but is this always the best way?

What is a Password Policy?

 A password policy is a set of rules that a password must meet to be accepted as “secure” by the enforcing company. It can include items like complexity, length, and how often it needs to be changed. This will ensure that users have passwords including special characters, a minimum length of passwords and also that passwords can't be re-used after a set amount of time.

Why have a password policy?

It might seem obvious, but the aim of a password policy is to make sure that passwords are of a sufficient uniqueness and complexity to prevent them from being guessed, worked out or “brute forced” by hackers in an attempt to gain access to your systems. Hackers have at their disposal a very wide range of techniques and tools to gain access to users’ usernames and passwords in order to breach your systems and either gain access to your data or wreak havoc on your systems.

Positives of a Password Policy

A password policy, particularly when enforced by a correctly configured network, has the benefit that all users’ passwords are of the same high standard, allowing you to control how long and complex they are to minimise the risk of them being found out either by working them out or by using automated tools.

A well-designed password policy will allow users to meet security requirements without feeling under pressure to change their passwords every 30 days. A password policy that encourages more secure passwords also means they are likely to make one stronger “good” password if they know they won’t have to change it as often.

Downsides of a Password Policy

Passwords are, for many, still the only security measure employed when logging in and firms try to make this as secure as possible by ensuring passwords are at least 16 characters, include numbers, upper and lower case and special characters and these have to be changed every 30 days. 

A problem with this is that users can struggle to remember their passwords, and often end up just incrementing the number or following some other simple, guessable, pattern e.g. from “Password!1” to “Password!2” - and hackers know this.  Another major issue with regular password changes is that users tend to write down their passwords (often in places accessible to their PC) which is obviously a major security risk.

A password policy is normally set to a standard that the company has deemed it feels is safe and secure, which addresses the level of risk it feels comfortable with, and is enforced by the network login servers. However with the computing power available to hackers increasing all the time passwords that have historically been deemed strong become easier and easier to crack. This leads to another issue: when users have to remember multiple “difficult” passwords they are more likely to reuse the passwords on multiple websites and for multiple purposes – something that is strongly discouraged. If one set of credentials is breached... they all are.

Ideas for creating passwords

Passwords are mathematically more secure the longer they are but a password of 15 ‘1’s will be easier to guess than something like “JsdWst3”9st9^5!”. But we all know which is easier to remember. A useful suggestion is to write words backwords in passwords, for example instead of Password!1 have drowssaP!1, this keeps the password easy to remember as you only have to remember the word/words in the password but they add a level of complexity from those simply trying to guess. 

Another suggestion would be to remember a sentence, for example, “I once went to see the butcher at the end of my road, house number 33”. Your password would now be, “Iowtostbateomr, hn33” this is a longer password that has included upper, lower, characters and numbers whilst being a longer password that can be remembered fairly easily. It also is highly unlikely to appear in any hacker’s password dictionaries.

Other thoughts on passwords include choosing four memorable, unrelated, words (at least five characters in length) and separating the words with punctuation marks or symbols, e.g. “horse?battery8staple-right@”.

The tougher a password is the better, but if it has a mnemonic or logical way of remembering it, then the user will have to change it less often – and is less likely to write it down.

Other authentication methods

Username/password combinations are the traditional method for securing access to company systems, however many organisations these days use additional or “two-factor” authentication whereby an additional method is employed to secure the login process. This may be a specialised hardware device that provides an additional password, called a token, via its screen to be entered. This token changes every few minutes but the login server is kept in sync, so that it always knows what the new password will be.

Other methods include apps configured on your smartphone which know when you are trying to log in, and which prompt you for further authorisation to ensure you are who you say you are. Stealing your username and password won’t be enough – they will also need to steal your smartphone, and know how to access it. There are many more – contact us if you would like to learn more about how we can help you copper fasten your users’ access to your systems.

Conclusion

 A strictly enforced password policy is not always the best way forward. A password policy combined with some tips on generating passwords and also two-factor authentication will help keep your network more secure whilst not troubling users with having to recreate a password every 30 days. 

A password policy should also be included in part of a strong IT security or general IT usage policy which sets other stringent security rules, for example, not allow shoulder surfing where another user would stand behind the user entering their password or prohibiting the use of browsers to store sensitive passwords. Checking the web should provide many examples of good Password Policy Templates from which to create your own.

Further Reading 

More information on password security can be found here:

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

https://en.wikipedia.org/wiki/Password_policy

https://www.microsoft.com/en-us/research/publication/password-guidance/