Password Policy Made Easy for Everyone
Even with all the technology advances in recent years, a bad password policy is still the main culprit when it comes to network security breaches. I am guessing you probably use the same password for most things – perhaps you are a little better than most and at least have separate passwords for banking. Unfortunately, passwords like lefsa, donjuanthedog, and Password1 are just not going to cut it anymore.
Y’know what? When you used Netscape in the 90s, “vikingswin” still wasn’t a good password – esp. since bad passwords and the team always fail at some point.
Anyway, so you have 50 users, they all hate change, and so what do you do?
Even having an office password policy party won’t make your employees happy at first. I think that we can all agree that everyday humans out there, esp. us change-adverse Minnesotans, have the temptation to the repeated use of the same simple, easy-to-remember passwords – like a pet’s name. You probably use 40-70 different websites and apps that require you to remember a password.
Here is a good corporate password policy as of November 2016:
- 12-15 Characters. Yep, 8 is no longer good.
- Lower case and capital letters intermixed, numbers, and special characters (like ‘@, $, ^’)
- Unique to each employee
- You cannot use the same password twice
- Changed every 90 days, with 30 and 3 days’ notice before it forces the change.
- It doesn’t use a word –esp. if its in the dictionary or related to you (e.g. your dog’s name).
- Use your Microsoft Server Domain Controller / Active Directory Group Policy to enforce the password policy.
This is bonkers! How would I remember this? Well, its simpler then you may think. I’ll go even tougher, so here is an example of a 17-character password:
Now that looks scary, but this should be easier to remember as you only need to remember the first letter of a sentence, your favorite lyric, or something no one may know. For example:
I love 2 grow corn because 2 years ago we made $ At the Cokato Corn Carnival
This makes your password I l 2 g c b 2 y a w m $ A t C C C — get it?
Do you remember this similar tactic from high school history class before a test? Mnemonics make it easier for your memory to recall information by creating rhymes, sentences or bizarre imagery to jog your memory. in other words, human brains remember fun things much easier – so keeping it as a sentence and remembering the first letter/symbol/number is naturally much easier when something more complicated needs to be remembered.
Why all this for a password policy, seriously?
Because smart hackers and brute force – that’s why. Ignorance is not bliss, so you cannot stick your head in the sand. You now have a fiduciary responsibility to keep your client’s data safe as well, so its important for any company.
With flexible affordable cloud resources these days, that horse power allows hackers and their software a serious advantage at finding your passwords. An 8-digit simple password can be hacked within minutes if someone knows at least a partial portion or knows things about you. Which is easily find able through social engineering tactics.
How are we to keep up with a ‘good’ password policy and keep our sanity?
On a corporate level (or personal), there is a way to have a single password give you the ability to store all of the rest of your passwords – these are called “password managers.” We don’t advocate for any particular one, but have seen success with Keepass and Keeper.
For you personally, there is actually is an old school way too. Some may disagree, but a good ol’ piece of paper locked in a drawer if you forget isn’t hack-able. Yes, it could be stolen, but how often do you get robbed vs. how often are your digital files at risk for being hacked? The latter is a much higher risk.
What about Two Factor Authentication (2FA)?
You have apps and websites allowing for two factor authentication. For heaven’s sake use it! Being able to prove – you are you – removes some of the advantage from those trying to get your information. As of November 2016, a thumb print, Google authentication, facial recognition or any option your bank, email, or service provider gives you on websites, apps, or your mobile devices is definitely worth every effort.
Network Medics Can Help
At Network Medics, your corporate security is always at the forefront. Our clients all have a customized password policy that is part of their technology plan in their VitalCare Managed IT Service with us. Contact Network Medics today if you need help with your password policy via a Microsoft project or within your Managed IT Services technology plan.