Best Practices for Passwords

Passwords are the frontline of defense against cyberattacks. No matter how extensive your other security measures may be, if your password policy is weak, you will be extremely vulnerable. While nobody likes password policies, they are necessary until other means of authentication (such as biometrics) become universal. Until that time, companies need to be aware of what strengthens a password and what can weaken a password. Here is a summary of some of the best industry practices for developing passwords.

Avoid Common Passwords

Did you know experts have discovered that 30% of users have passwords from the list of the most common passwords? That means that almost 1 in 3 users has a password that can easily be cracked, because hackers are going to try those common passwords.

According to Keeper Security, the 25 most common passwords of 2016 were:

password guidelines
  • 1. 123456
  • 2. 123456789
  • 3. qwerty
  • 4. 12345678
  • 5. 111111
  • 6. 1234567890
  • 7. 1234567
  • 8. password
  • 9. 123123
  • 10. 987654321
  • 11. qwertyuiop
  • 12. mynoob
  • 13. 123321
  • 14. 666666
  • 15. 18atcskd2w
  • 16. 7777777
  • 17. 1q2w3e4r
  • 18. 654321
  • 19. 555555
  • 20. 3rjs1la7qe
  • 21. google
  • 22. 1q2w3e4r5t
  • 23. 123qwe
  • 24. zxcvbnm
  • 25. 1q2w3e

If one of your employees is using a common password, they have made your system vulnerable.

Users should never be allowed to use a password that includes their username or email address. They should not be using passwords that contain the company’s name or URL. These, again, are easy for hackers to uncover and represent a major vulnerability. In addition, passwords such as “user” or “password” should always be blocked from use.

Enforce an Effective Minimum Password Length

Many people think that as long as their password has a number, an uppercase letter, and a symbol that it is secure, but some experts argue that length is actually the key to a good password. A longer password has a greatly probability of being random than a shorter one, and the most commonly used, and thus easily cracked, passwords have fewer than 8 characters. The ideal password for a normal user should be a minimum of 10 characters; for an administrator or other critical user, passwords should be a minimum of 15 characters.

Avoid Predictability

This password would meet the minimum length rule: ‘xxxxxxxxxx.’ Do you see anything wrong with it? Computer scientists would say that it lacks entropy, or unpredictability. The best way to ensure that users to do not attempt to use passwords lacking entropy is to require a minimum number of unique characters.

Also, avoid passwords made up of characters that are adjacent on the keyboard, such as ‘asdfgh’ or sequences of numbers such as ‘1234567890.’ Even though that last password has 10 characters, it is a trivial password that hackers will try.

Password Policy best practices

Avoid Personal Information

Personal information should not be used in password, especial in a time when so much of our personal information can be found online through social network accounts. Birthdays, names of family members, and names of pets are not good choices. Favorite movies, bands, singers, sports teams, celebrities, authors, or television shows are poor choices, too. People should never use their real name or the name of the company they work for as part of the password, either. This type of policy is difficult to enforce, but employees should be educated on the subject so they know what to avoid.

Don’t Use the Same Password for Multiple Accounts

Users should avoid using the same password on different accounts. It is not at all uncommon for employees to use the same password for their email and network login, as well as other logins that may be required of them during the course of daily business. It makes remembering passwords and logging in much easier, but also makes it much easier to hackers to exploit them. If the hacker cracks the password to one login, they then have access to all the others. Discourage your employees from using the same password for different logins.

Consider the Use of Pass Phrases

A pass phrase is like a password but longer, typically 20 to 30 characters in length. Besides the obvious benefit of length, they can be structured in such a way that they are easier for the user to remember than a normal password. Methods for developing passphrases include randomly selecting words, using words that are not spelled out completely or not spelled normally, replacing letters with symbols or numbers, and/ or creating an acronym from a phrase.

Using pass phrases can help motivate users to develop a password they can remember that is still strong enough to make it very difficult for hackers to guess. For example, suppose someone is a fan of science fiction novels. They could take the phrase “I live for science fiction books” and turn it into “iL!veF0r$cynsFic$hun8o0ks’ as a pass phrase. This meets the minimum number of characters and would be easier for the user to remember compared to a randomly generated string of letters, symbols, and numbers. To a hacking algorithm, it does not look like a recognizable set of words.

Common Sense

A major part of a good password system is common sense, starting with some things to avoid: common passwords, personal information, predictability, and the same password for multiple accounts. Enforcing a minimum length and using pass phrases instead of simple passwords will protect you from all but the most determined hackers.

Contact IT Services Group to Strengthen Your Security

IT Services Group can help you with developing and implementing a powerful password policy to make your frontlines of cybersecurity as strong and secure as possible. In fact, we can help you with all aspects of cybersecurity and IT management, regardless of the size of the your company.