Common password policy problems

December 25, 2013 

The security of your information and business in general is likely something that you are concerned, if not worried, about and rightfully so. While it is true that many businesses have adequate security systems in place, the weakest link is often the password. In an effort to ensure that passwords remain secure, many companies adopt password policies. But are these policies really effective?

If you are in the process of implementing a password policy, or are looking for a way to ensure that your business is as secure as possible, you need to be aware of at least four common password policy pitfalls.

1. Complex password requirements aren't complex at all…

One of the most common elements of a password policy is the requirement that passwords be complex. Many require that the password has at least one number, or a special character like '!' or '&', and possibly even a capital letter.

While this may seem like it serves to make passwords more complex, many users will often use a simple password and replace words with a character, or add it at the end. This really doesn't make the passwords complex, it just makes them more difficult to guess.

Because so many systems have these requirements in place, hackers have started to include these factors when they develop password crackers. This means that they are still able to guess many passwords relatively quickly.

2. Lack of a lock-out…

A common way hackers get into systems is through a method called brute force. This is essentially entering different passwords and variations until you come across the correct password. While this method can take a while, if your password sys

tem doesn't have a lock-out rule -- whereby the account becomes locked after a set number of failed attempts -- you will eventually see a security breach.

3. Password changes are forced too often…

In order to keep systems secure, many companies force their users to change their passwords on a regular basis - usually every 90 days. While this is a good idea, some take it a bit too far, for example forcing employees to change passwords every two weeks.

This may seem like a good idea, but all it does is encourage users to pick easy to remember passwords. And, any password that is easy to remember is likely easy to guess too.

4. Only focusing on digital passwords…

Because the number of password protected systems we use is increasing, many business users are struggling to remember all of the passwords they use. When this happens, the easiest solution is write to them down.

When making a note of passwords, most people don't take any steps to hide them, often leaving a sticky note attached to their monitor or written in a notebook casually left open on their desk. Needless to say, this is a real security issue.

How should I ensure a strong password policy?

Here are four actions you can take to ensure not only stronger passwords, but a policy that is effective.

1. Try using passwords that are sayings and have spaces. Believe it or not, a random saying like "rude horses get pizza" is actually far more secure than any one word password with characters. Take a look at this XKCD comic for an interesting graphic on passwords.

2. In order to minimize passwords and systems falling to brute force attacks, you should set a lock-out rule. It should be fair in that you shouldn't lock users out of their accounts if they fail one attempt. Most companies using this method set a limit of 3 to 5 attempts.

3. You should ensure that your passwords are changed on a regular basis - most companies set every 90 days, and this is fine. In order to maximize security, it is a good idea to set it so that the same password and numbers can't be used, because most employees will just enter another number or character at the end or beginning. In other words, ensure the password is as different as possible.

4. The most obvious point is to remind your employees not to write their passwords down and leave them in an easy to find area. If they have to write passwords down, tell them to use a code or even hide the piece of paper/lock it away in a secure safe. The other step you could implement is two-factor authentication, such as a user needing to enter a numerical code or piece of information when trying to access a system. Implementing a system like this and recording it in the policy will greatly reduce the chances of your passwords being stolen.

David Spire, president and CEO of United Systems, holds multiple professional certifications. He can be reached at 941.721.6423 or by email at david.spire@uscomputergroup.com.

Bradenton Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service