Back to the Basics: System Accounts - Passwords
Everyone talks about passwords and how important they are. It is true; passwords are usually the only form of security between you and your crown jewels. However, passwords seem to contain under-appreciated power. Your average computer user reminds me of a homeowner hiding a key outside their house in case they lock themselves out. Most people who do this hide it in a very obvious place, like in the front of the house under the door mat or in a hide a key ceramic animal. When everyone does this, it is no longer a secret.
The same scenario applies to passwords. Using a password such as “123456”, one of your “favorite” children’s names or your assigned user name is just like putting your key under the front door mat of your house. The difference with these two scenarios is an attacker has to be physically in front of your house where the cyber attacker can be anywhere in the world and constantly trying to crack your lock without you ever knowing (depending on your security posture, of course). When there is a breach to a major company the last thing anyone wants is to be the owner of the user name that is being used to steal data. Just like with that key, if you put a little effort into making the hiding place unique, you can make the hackers’ job far more difficult and they may move on down the street.
So, to make it tougher for the hacker let us split up what the two main types of computer users should be doing:
Dos and Don’ts for Administrators:
- Make sure the system is set up to demand the following password requirements:
- A minimum of 8 characters or longer
- Upper and lower case letters are used
- At a minimum, use at least one number
- At a minimum, use at least one special character like an exclamation point or a “at symbol”.
- Passwords are forced to be changed every 60 days (30 days for higher security)
- Systems do not allow for the last 6 passwords to be repeated
- Do not use easy to determine information about you such as names of friends, family, birth dates, and such
- Administrators, plan a “walk around” and see if your users are writing their passwords down to remember them because they are changing them every 30 to 60 days (check under the keyboard)
- Configure 2 factor authentications where your users must know something and have something to strengthen your security. In most scenarios it is not that difficult to set up and manage.
Dos and Don’ts for Users:
- Choosing a password
- No true words you would find in a normal dictionary
- No combination of words (example theprettydog is a bad password)
- Pick the first letter (second letter or last letter) of every word in a sentence or phrase (do not leave the phrase on your keyboard or desk for everyone to see)
- Replace certain letters with number or characters – for example the letter “I” or “L” could be translated to a “1”, or an “S” could be translated to a “5”.
- If you are music person, act like your keyboard is a piano and type the first few notes of a song
- If you are a pattern person, create a fancy pattern on your keyboard
- Create a beat with your fingers and apply the beat to the keyboard (this can be difficult the first few days, but very easy to remember after that)
If you want to increase the level of password security, there are plenty of free and commercial encrypted password storage software applications for phones, web browsers, and so forth. These programs can even generate a random password and store it for you.
According to Apple’s article, “The worst password of all is no longer ‘password’ according to hacked accounts chart” many organizations that have been hacked do not require the minimums we have listed like 8 characters, special characters or force a mixture of numbers and characters. It is time to face the music because it is the small stuff that can make a huge difference if easily forgotten or perceived burdensome.