Importance of Password Policy

password policyOne of the defining attributes of computer security is the principle of multifactor authentication, which boils down to three basic concepts: something you know, something you are, and something you have.

Something You Know – a password, a pin number, a code

Something You Are – retina scan, finger prints, DNA

Something You Have – a smart card, a USB token, a magnetic strip card

A system with all three methods of authentication is thought to be fairly secure as far as logins are concerned, but the downside is that most systems don’t use multifactor authentication. Most organizations rely very heavily on passwords for authentication because they are the easiest to deploy and the most affordable. Biometric scanners like read retina and fingerprint data can be unbelievably expensive and typically require the user to be on location to work. Smart cards, USB tokens, and magnetic cards can all be misplaced and/or stolen. This leaves passwords and the like as the most cost and time effective way to authenticate with a system, so long as the user doesn’t keep theirs on a sticky note under their keyboard.

Passwords have been a contentious subject for many different groups and for good reason. As the single point of failure for user authentication, no one can agree on how complex or simple a password should be. Should a password consist of uppercase, lowercase, numbers, and special characters? Should it be several random words jumbled together? The Internet has many things to say about this and the results are often hilarious.

No matter what side of the tracks your opinion lies on, there is but one truth to passwords and their weaknesses: When your password gets cracked it will be by a machine not a person. What I mean by that is that the likelihood of a random person on the Internet stumbling across your account and guessing at the password until they gain entry is slow, inefficient, and quite frankly a waste of their time. Hackers will instead use a database of password hashes and algorithms to crack many passwords at the same time, and they are fast. However, there is an easier method of access which trumps programmatic password cracking in required effort and speed, which is simply to crawl the Internet for systems and devices that are still using their factory default password, i.e. admin/admin.

A story broke news in late 2013 about a family who awoke in the night from the sound of an intruder that turned out to be someone accessing their daughter’s IP-based webcam. The portion of the story that the media carefully left out was that the parents were negligent in setting up their webcam and left the webcam out on the Internet with defaulted passwords, not knowing that factory passwords are publicly accessible. PROTIP: They very much are. Even more likely is that their router was defaulted as well and accepting traffic from the Internet on all ports. This is equivalent to leaving the front door to your house open 24/7 because it makes it easier for you to get in and out. So the short answer to the question of what criteria to base your password policy off of is simply put, “Don’t be those guys.”

Our knowledgable technicians here at Colorado’s top data center, Data102, have some of their own helpful tips for choosing the optimal password. There are a few hard and fast rules to live by when creating passwords that will keep a user safe from unauthorized access across the board:

  • Though maximum complexity isn’t necessary, avoid using any words that reference your personal life in any way. Like real-life intruders, malicious users on the Internet do their homework too.
  • Still though, make your passwords as complex as you can remember.
  • Change your passwords every 1-3 months.
  • Use different passwords for all of your online profiles. A single common password becomes a single point of failure. There is a huge difference between someone accessing old e-mail and having their way with your bank account.
  • If you have trouble with any of these, enlist a password manager to do the heavy lifting for you. Password managers are a godsend for system administrators or just those with a horrible short-term memory.
  • Even if you believe your newly created password is safe, our experts would still suggest you get some AntiSpam protection solutions in place for your email accounts. DirectMX, for an example, provides yet another thick locked gate for intruders to try to break down if hacking your email account is something on their to-do list. Don’t make the hacking process easy for bad guys, add another lock and key situation to the mix with AntiSpam filters.