Tuesday, October 15, 2019

Modern Password Security Policies

How secure are your passwords? 
Today's passwords need to be a lot more complicated to be effective.

by Merlin Benningfield, Managing Partner - Fast Rhino, LLC

Pull your house key out of your pocket and take a good look at it. Now put it back in your pocket and grab a pen and paper. Could you draw the notches or teeth exactly as they appear on your key?  Most people answer that question with a resounding, "Of course not!".  My next question is, "Why?".  The answer is because the notches in the key are complicated, and for good reason. 

Passwords are modern day keys. No one expects people to remember the exact shape of their house keys, so why do people think they should somehow remember their passwords, especially since most of them have several?  If you have a password that you can remember, chances are it isn't a very good one.  

Let's look at some modern password policies you should be following today (bear in mind that based on how fast technology is moving, this list will need to be updated regularly):

Password Length:  12-14 characters (the old requirement of "8 character" passwords are easily broken by computers now).

Character Types: You should use all of the following types of characters in your password: 
  • Upper case letters
  • Lower case letters
  • Numbers
  • Special Characters ($, @, *, ?, etc.)

Uniqueness: It is not recommended that you use the same password twice, since it is common that once a hacker has successfully stolen a password, they immediately try using it elsewhere.

How often do I change them?: As a rule, you should be changing your passwords once every 90 days to help defend against data breaches.  Companies are targeted by hackers all the time and if you have an account with one of these companies and their network is breached, its possible your account information (username and password) are stolen and then sold on the dark web.   No matter how complicated your password, a data breach could reveal it.  The idea is that if you are regularly changing your passwords, a data breach might not affect you since it takes time to steal, distribute and then use the stolen account data. Most data breaches include millions of records, so the criminals don't usually use them right away and this gives you the ability to hopefully have changed them before they can be used against you.
Documenting all your passwords in an organized fashion so that you can easily find them is a good idea, however keeping that list safe is important.  Password managers can be a good way of storing and accessing your passwords also, but many are cloud-based, which should also be a consideration regarding security.

The bad guys are not sitting in their underwear late at night lounging around in their grandmother's basement trying to break into your account one password attempt at a time.  They've gotten a lot smarter and are now using super computers with extremely fast processors running brute force logarithms.In summary, the majority of passwords we used last decade are not strong enough to stop these brute force attacks.  If we want to protect ourselves, we have to change our defensive computing strategies.

No comments:

Post a Comment