People today jealously guard their Facebook passwords for fear of their pranky brother-in-law logging in as them and posting embarrassing status updates.
But back in the 1960s, Defense Secretary Robert McNamara oversaw installation of “Permissive Action Links” (PALs) on the ICBMs installed in the US, and the people in charge of setting them had them all set to “00000000” so that the missiles would be ready to use whether or not the president was able to give authorization. Former Minuteman launch officer Bruce Blair said that furthermore, the locking panel had to be regularly checked to ensure that no digits except “0” were inadvertently entered. Scary!
Fact is, smart password practices cost next to nothing and aren’t time-consuming.
So what is a “strong password” and how do you make strong passwords that don’t have to be written down?
“I can’t believe he said I like appletinis. Pink raspberry cosmos are my signature drink!”
Complexity Has to Be Done Right
Password complexity is good, but when ordered to use special characters, most people use one of only 40 or so to strengthen their password (like substituting “1” for the letter i). Complexity works best when it’s random, however. It turns out length is more important than complexity as far as defeating password crackers, so increasing password length to 12 characters can increase password security significantly. This is good news, and it means you don’t have to devise passwords that look like the stand-in comic strip curse words (!%*##$*) from back in the day.
Complexity should mean a case-sensitive combo of letters, numbers, and special characters that’s at least eight characters long. Phrases interrupted by spaces, numbers, or special characters are typically robust, yet easy enough to remember that people aren’t tempted to write them down. Passwords need to be changed regularly too: every 60 days is OK, but every 30 is better.
Don’t Reuse Passwords
This is one case where recycling is bad. Reusing the same password across multiple systems can turn a minor data bleed into a rushing hemorrhage. When an employee’s personal Twitter password is hacked, it’s one thing, but when that Twitter password is the same one he uses across the entire company network, it can turn into a security nightmare. Make sure your end-users understand this.
When It’s OK to Lie
Remind end-users that crossing their fingers removes moral culpability for lying on their password reset answers.
Urge people to lie on the answers to their password reset questions. A little superficial research can yield a mother’s maiden name or pet’s name. And since Carl in Fluid Dynamics has told everyone repeatedly about the 1966 Corvette he bought when he got his first job, his password reset answer (first car) is obvious. It’s better for people to pick a reset answer for each website consisting of an unrelated root phrase that’s meaningful to the user, but varied slightly for each site.
Passwords and Mobile Devices
A lost or stolen mobile device can be a huge headache for your organization. Require staff to use a device lock feature that times out after a couple of minutes of inactivity. If your organization has a BYOD policy, don’t let employees bring jailbroken iPhones or Androids, because these bring increased security risks. You should also have a policy that users must sign out and exit business apps when they’re not using them rather than keeping them running in the background. It’s a hassle, but it can save your organization from bigger problems later.
Keep in mind that you can have the best password policy in the world, but even with mature authentication systems and lockouts for failed attempts, the weak link is still the end-user’s trusting nature. Giving a strong, complex password to someone engaging in social engineering can undo all your hard work in an instant. Educating every end-user about social engineering attacks should be part of your organization’s password strategy.
In summary, the following can take a risky password policy and strengthen in considerably without your having to spend much time or money:
• Increase minimum length of end-user passwords to 12 characters
• Encourage end-users to answer reset questions untruthfully
• Keep software up-to-date to ensure you have the latest security fixes
• Bust users who use plain text passwords on your network
• Educate end-users on creating strong passwords
• Educate end-users on social engineering and how to avoid being victims