Target. Home Depot. eBay. The U.S. Government. The list of organizations with data breaches seems to be growing exponentially. One of the top ways companies were hacked in 2014 was through employee credentials. This means employee passwords aren’t strong enough and companies aren’t utilizing proper password management procedures. What are you doing to protect your organization’s data?
What Constitutes A Strong Password?
Unfortunately there are still many people using incredibly weak passwords. Consider this report from CNET on the worst passwords for 2014.
What are the common password pitfalls? Microsoft encourages users to avoid the following:
- Personal identity information that could be guessed or easily discovered, like pet names, nicknames, birth date, address, or driver's license number.
- Dictionary words in any language - including the word password—the most common password in the English language!
- Words spelled backwards, abbreviations, and common misspellings.
- Common letter-to-symbol conversions, such as changing "o" to "0" or "i" to "1" or “!”.
- Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard such as qwerty.
There are numerous resources available to guide you on creating strong passwords. Don’t leave it up to your employees to find the tips; provide them with the guidance on creating strong passwords to protect themselves and your organization.
CNET describes the ideal password as “at least 16 characters, and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces. The password would be free of repetition, dictionary words, usernames, pronouns, IDs, and any other predefined number or letter sequences.” Do your passwords meet these criteria? Do you think your employees’ passwords do? Most likely not.
Here are a few resources to get you and your employees on the path to stronger passwords:
- CNET – The Guide To Password Security – And Why You Should Care
- How-To Geek – How To Create A Strong Password
- ConnectSafely.org – Tips For Strong, Secure Passwords
Password Management Policies
Aside from creating strong passwords, your organization also needs to pay attention to the password management procedures in place. The Online Trust Alliance offers up the following suggestions for enforcing effective password management policies:
- Use multi-factor authentication (e.g. one-time PINs) for access to administratively privileged accounts. Administrative privileges should be unique accounts and monitored for anomalous activity and should be used only for administrative activities;
- Require users to have a unique password for external vendor systems and refrain from reusing the same password for internal system and personal website logins;
- Require strong passwords comprised of an 8-character minimum including a combination of alphanumeric characters, and force password changes every 90 days with limited reuse permitted;
- Deploy a log-in abuse detection system monitoring connections, login counts, cookies, machine IDs, and other related data;
- Avoid storing passwords unless absolutely necessary and only store passwords (and files) that are protected or encrypted;
- Remove or disable all default accounts from all devices and conduct regular audits to ensure that inactive accounts can no longer access your infrastructure;
- Remove access immediately for any terminated employees or any third parties or vendors that no longer require access to your infrastructure.
Don’t be the next name on the list of data breaches. Educate your employees on creating strong passwords and implement company-wide policies for effective password management.
