Passwords – Hate Them or Love Them, You’re Stuck with Them
Passwords are the bane of every business and IT department. Employees hate them and do their best to circumvent best practices.
IT personnel can’t comprehend why employees hate them and what is so difficult about the implemented password best practices.
Business operators don’t always understand the consequences of a lax password policy.
I have visited a number of businesses where employee passwords were something along the lines of 123456. I have seen extremely careless password practice in law firms, health care providers, and business service agencies.
Some of them will even joke that their passwords are not the strongest.
Then there’s the dreaded sticky note.
Some businesses don’t even have passwords….on servers!
I get it. Passwords are a pain in the…..
Unfortunately, they’re not going anywhere.
There have been some cool advances in authentication. Biometrics, RFID cards, tokens, and QR codes to name a few.
If you have purchased a smartphone in the last few years you know that facial recognition and/or fingerprint scanning are now standard on most phones.
The Great Password Debate
In the Infosec world, we usually get our guidelines and best practices from NIST. NIST recently published a study on whether recycling passwords worked.
Many businesses require you to change your password every 30 or 45 days and won’t allow you to reuse a password for 12-18 months.
It has been determined that this practice is not effective, meaning it does nothing to improve account compromise.
What it does do is ensure that any unauthorized individual who has gained access with a compromised account will no longer have access once that password is changed.
There have been lots of debates on what makes a secure password. Random letters/numbers/special characters are great but who can remember them?
Using something you can remember makes it easier to crack or even guess the password. I have guessed a network password for a major cable provider’s supposedly secured modem/router.
Things to consider include length, complexity, time until expiration, and account lockout rules.
Password Best Practices for Your Business
Despite the introduction of alternative authentication methods, passwords are still necessary. The alternative methods should be used as multifactor authentication (MFA). Meaning you should use a password and another method.
I will get to those methods in a few paragraphs.
Password Best Practices:
- Use Passwords of at Least 8 Characters – The more the better. For each additional character, the time it takes to brute force the password increases exponentially.A password of 8 lowercase letters can take 5 hours to brute force. By comparison, a password of 12 lowercase characters can take 200 years.
- Use a combination of UPPERCASE, lowercase, numbers, and special characters. Above I mentioned that a password of 8 lowercase characters can be cracked in 5 hours. If you add UPPERCASE, numbers and special characters it will take a lot longer.
- Enforce Complex Password Policies – Requiring (through settings on your network/server/workstations) complex passwords will also greatly decrease the likelihood of a compromise.Complex passwords mean in addition to requiring UPPERCASE, lowercase, numbers and special characters you also avoid dictionary words and variations, proper names, using the account name in the password, and reusing the same or similar passwords.
- Use MFA – there are a few different methods for multifactor authentication available. The most common is the use of a token.It is becoming more popular to use a soft token in corporate environments. Using an app on the employees’ phone that generates a time-based code is a cost-effective method to further secure your network. Keep in mind this is not the most secure of the MFA options but the easiest and least expensive to implement.
Other methods of MFA include a text message, biometrics (retina scanner, fingerprint, facial recognition) and RFID cards.
- Education – Educating your employees is always important when it comes to your business network security and should be included as part of any security policy.Implementing a policy without the proper education is going to prove ineffective.
Educate your employees on why password policies exist, how an account can be compromised and common things to avoid (like the sticky note)
- Additional options might include requiring a password change every 30-60 days, setting work hours (the account cannot log in outside a set time frame) and monitoring for suspicious account activity through log file monitoring.
Get Comfortable with Passwords
Passwords are a necessary evil that is not going away anytime soon. It’s best to get comfortable with having to use them in a secure manner.
One last note. There are websites on the internet dedicated to hosting dictionary files filled with passwords that have been used, Security professionals and not so ethical people can purchase these lists to use for brute force attacks.
I recently discovered that a password I was using was on this list. I don’t normally use the same password in multiple places (call me paranoid) but this password was used in a couple of applications. The password consisted of a nickname of someone I know (that most people would not know) random numbers and a special character.
Needless to say, I do not use this password anymore. Using the exclamation point as your one and only special character seems to be the default for a lot of people. Don’t do it.
I should also note these password suggestions can (and should) be used on most internet applications today (Google, Facebook, PayPal, Banking, etc..)
Bottom line, make peace with passwords. They’re not going anywhere.
This is such an important post. I’ve come across some real horror stories about people being hacked, especially on Instagram.
These are great tips, and I will be sharing this post! Security is so important, especially these days! 🙂
Passwords can definitely be a nightmare!!! I try to follow common rules to have secure passwords. Specially because social media is my business I try to keep my accounts safe, but then even I can’t access them. Uuughh It’s soo frustrating! These are great tips!
Thank You for stopping by!
Me and Password are like that all the time. Everything I use of technology has a password, so that no one would use it like that or even for fun. People will say I have something to hide, yes I do have to hide like my apps related to banking and all.
Most banks have at least SMS verification. I would turn that on if you have not already.
I think that this is such an important topic and not enough talk about it! With each day our technology advances BUT so does the risk of losing important (personal) information. Great post!
I don’t mind having the eight characters, numbers and special characters, I just hate it when my work makes me change the password every 4 months. It makes it hard to remember the passwords when I have to change it so often.
4 months is not that bad. There are places that do it every 30 days. A password manager like Lastpass or Keepass might help
I need a better way to manage my passwords, and I should probably make new more secure ones. But the ones I have right now aren’t too bad I don’t think.
So annoying that we have to be so careful with these things. Dumb people stealing stuff!
There are password managers available (free). Keepass is one you can download and use on your computer and LastPass is a website you can use. Those are my choices but there are plenty of others.
Yes, it’s so important to have good passwords. Mine are all mixtures of things. I have them written down in case I forget, but it’s in a lockbox. I’m always paranoid that people will steal my info so I try to be as safe as I can.
I’m guilty of some not so great passwords, but I’m working to streamline them into a system where they are all different, but hopefully that I can remember. I’ll admit my dependence on browser saved passwords is tremendous. And yes, I love the exclamation point!
Chic on the Cheap
Be careful with browser saved passwords if you’re using a laptop or if someone else has access to your computer.
Passwords are a pain but so needed. Also make sure to not use common answers to your security questions as I did and my email was hacked but thankfully I was on the computer when it happened and I took care of things right away.
I always have problems with a password, but what I did then is I used one password for all accounts I have. I know this is unsafe, but it’s better for me than the headache.
Passwords… the thing I can NEVER remember, haha! After my IG was hacked I change them all the time though!
I have different passwords for everything and I hate it. I honestly cant stand having to use them lol.
Thank you for sharing such valuable information. I have seen the consequences on business of not having a secure password and have what I think is a strong password, however I need to remember to change it more often.
Such a great post and topic! Thank you for sharing!
Great tips!! It’s super important to have a strong password on the internet!
This post made me laugh to myself because just today I had to create a password for something at work that required a letter as the first and last thing and every password I ever have always has a number or symbol at the end and it was beyond a struggle for me to create one. lol But you are so right, passwords are so vital and they really aren’t going anywhere.
Such an incredible post!!! Passwords are definitely tough I see it at my job all the time, people’s lives are havic when they forget them but knowing your options are helpful and these tips are great!
I always try to change mine up but then I forget so then I have to reset them over and over again.
I have got my own style in making my passwords. And I also keep changing them. 🙂
A good password is important and not having the same everywhere is good too but i have so many passwords i can’t even remember them all!
Such an important topic! I hope I’m safe and my account will be not hacked
A couple weeks ago we were at a Penn & Teller show and they did a segment on passwords. It’s interesting how some people still use easy to hack passwords. These are great practices listed for coming up with a password.
Passwords are very necessary as your article implores. I like to set mine in a special way.
I agree passwords are annoying, like my Asian Mom who is also like a police (pun intended!). But they are very helpful, we just have to deal with it for our own good and safety.
I’m OK with passwords. I understand the risk of being online and of course we have to protect ourselves. What I don’t like is when it is way too specific like there should only be 8 characters.
I learned a lot about passwords in this post. I know some of the tips on the list but I learned new ones!
Great tips to remember when creating passwords, which is often. I also have a love-hate relationship with my passwords, especially that I almost always have trouble remembering all of them. But I try to make a complex enough passwords to keep my online accounts more secure.
sometimes I make my passwords so complicated that I forget it myself lol