Until biometric authentication takes off, typed passwords will continue to form the cornerstone of authentication systems. Yet what exactly constitutes a good password in this brave new era of cloud computing? According to security consultant David Campbell, the secret number is 12, or a password made up of 12 characters, to be precise.
What Campbell essentially did was calculate the cost of performing a brute-force attack on various types of passwords using Amazon's EC2 Web service. Extrapolating from his cracking application, which can work through approximately 9.36 billion keys an hour, Campbell did some arithmetic and worked out the monetary cost of cracking passwords of varying length.
So what is the conclusion? A 12-character password will cost $1.5 million worth of processing to crack, which should be sufficient to deter most criminals. However, it will cost less than $60,000 to do the same on an 11-character password -- an amount likely to be gained from a few stolen credit card numbers.
With this in mind, below is a simple list of "guidelines" pertaining to passwords that SMBs can use to disseminate to their employees, with a brief explanation below each point. Remember, we want to keep it simple.
Passwords Should be 12 Characters Long
Campbell only relied on passwords that use characters, not symbols or numbers. In his original analysis, it was pointed out that while adding in these additional characters made them more expensive to crack, the difference was not that much. Personally, I would advocate the use of a 6- or 7-character mnemonic device so you can remember it and repeating it two (or three) times to generate a password that meets or exceed the suggested length.
Never Write Down Your Passwords
This should be a minimum requirement. Most SMBs or companies have an open culture, so it is often common for colleagues, guests or vendors to easily access people's cubicles. Committing any passwords to a Post-it note or scrap of paper is simply asking for trouble.
Do Not Use the Same Passwords for Your Personal and Work Accounts
I passed along this idea after my "Simple Password Tips" blog prompted a reader to say workers would hardly be able to remember unique passwords for each system. An alternative idea would be to have staffers to use a different set of passwords at work.
Never Give Your Passwords to Anyone
It should be emphasized that the IT department will never ask for passwords for any reason. When troubleshooting problems, administrators should reinforce the idea of not asking for user passwords by performing a password reset rather than to ask for it. Emphasizing this point will help protect your SMB against social-engineering attacks, to a certain extent.
We Will Gladly Reset Your Password for You at Any Time
The idea here is to encourage employees to err on the side of caution should they believe their passwords could have been compromised. Rather than penalizing them, the prevailing culture should be that the IT department is more than happy to reset passwords as often as necessary.