Did you know that specialized computers can crack an 8-character password in 6 hours?
If there’s one thing that hackers have an ample amount of, it’s patience. And yes, your organization is vulnerable; many small businesses serve as vectors into larger corporations, and cybercriminals tend to pursue the path of least resistance to reach their goal (Target, for example, was breached by way of its HVAC vendor).
With all these frightening facts floating around, you can imagine that we’ve gotten quite a few questions from concerned clients about how to establish and effective password policy within their organization. It’s a question we love to hear, since it means that the organization is already making its way down the path to comprehensive network security.
Below we’ll walk through basic password best practices, along with the most important elements of a successful password policy.
What makes a strong password?
Before you can put a password policy together, you have to know what a strong password actually looks like. There are several best practices as far as password creation goes:
- Variety. Never use similar passwords across multiple accounts—this is a hacker’s dream since it creates a very real single point of failure.
- Length. Set a ten character minimum for your network passwords.
- Characters. Require a combination of symbols, letters, and characters (yes, all of them).
- Authentication. If available, use 2-factor authentication for sensitive data. The most common form is a password followed by a security question.
- Changes. Or, rather, the lack thereof. Forcing too many password changes will lead to confusion, and to risky practices like folks writing them down on Post-It notes, and often leaving them in obvious places like the side of their monitor.
What are the key elements of a successful password policy?
Once you have a sense of what your network passwords need to look like, you can begin to enforce your password policy. There are two main elements to this:
- Training. Your password policy means nothing if your staff doesn’t know about it. Train your existing employees on creating proper passwords. If you have to bring in an outside resource to make your point (we’ve had clients go so far as to bring in FBI agents), do it. Make it part of your employee onboarding process. Work with your IT team to set parameters so that your system recognizes and rejects passwords that don’t follow your policy. Make security a part of your corporate culture, and make no exceptions to the rules that you’ve established.
- Tools. If you find yourself hearing groans along the lines of “How in the world am I supposed to remember all of these crazy passwords?!” chances are you aren’t setting your team up with the right tools. One good strategy for remembering complex passwords is to base your characters on a short phrase. For example, “the school bus will be here at 4pm” translates to the password “tsbwbh@4pm.” (This is also far more secure than more predictable letter/symbol swaps, like using “@” in place of “a,” and “!” in place of “i.”) Another effective method is providing your team with password management software to keep all of their passwords straight; a few solid options are 1Password, DashLane, and PasswordBox.
As you can see, it will take a little bit of elbow grease to set your policy in motion, and you might find yourself up against some resistance while your team adjusts to the changes.
But, given what’s at stake, the effort is more than worth it.