Tips for Creating a Strong Password
Correct risky password behavior and reduce your chances of being hacked.
Bloomberg Businessweek recently published a short fact sheet on the state of password management in business. Titled "The Problem with Passwords," the short piece relied on data obtained from analysts and vendors to determine the amount of time it takes a hacker to force his way to a given password based on its complexity and length. I'll have more on that later.
In addition, it was also noted that the average cost of fielding a phone call for a password reset is $10, with a staggering 30 percent of help desk calls related to password management. Even more astounding perhaps, is the fact that one out of every two users will choose a "common word or simple key combination" for their password by default.
I read the fact sheet and came up with two simple suggestions that you can implement in your SMB to cut costs and improve the state of security in your company.
The high cost of handling requests for password-related matters such as password resets makes it clear that businesses will benefit from the development of a software utility that employees can use to perform a self-service password reset akin to what is found in most Web services. Depending on network architecture and deployment, such a project will be easier for some organizations than others, though it should be nothing that is insurmountable.
Where the utility is concerned, I would advocate the use of a password reset as opposed to a password recovery for obvious reasons-modern operating systems store user passwords as a hash for improved security. Even for Web-based systems where the stored password might not be hashed, allowing password recovery means that hackers can conceivably exploit such a feature to break into an account without account holders being any wiser. In addition, the destination address that the reset password is sent to should be hidden and unable to be modified without a personal visit to the IT helpdesk.
Spell out and Enforce Requirements for Password Complexity
I would argue that the numbers in the article are not very useful without knowing the vector of the attack (a password hash would be far easier to crack, for example). Still, I feel it does give an approximate depiction of the relative complexity of various permutations of a password. Certainly, it is exponentially more difficult to force one's way against a slightly longer password than a short one. According to Businessweek, a six-character password made up of a mix of upper- and lowercase letters will take 10 hours to break, while a nine-character one will require a staggering 178 years, or 1,559,280 hours.
Clearly, security will be vastly improved if businesses spell out and enforce some minimum requirements on allowable passwords. And yes, the policies should allow for increased security without resulting in unreasonably difficult-to-remember passwords. In addition, I also suggest that companies create a tool to help their users suggest new passwords as well as to validate new passwords against their company's complexity policy.
Do you have any suggestions for better password management? Feel free to share them in the comment section below.