Tips for Creating a Strong Password
Correct risky password behavior and reduce your chances of being hacked.
You'd think at some point that people would understand that, while not foolproof, strong passwords are one of those important first lines of defense in network security. Yet, making headlines earlier this week was the news that "Password1" is still the most common password used in the business setting, and that the word password comes up in at least 5 percent of passwords used. CNN Money explained the reasoning behind that this way:
There's a technical reason for Password1's popularity: It's got an upper-case letter, a number and nine characters. That satisfies the complexity rules for many systems.
I think that's true, but I also think there is another reason. Nearly every time I've been asked to set up an account for business purposes, I am given a default email to use "for first-time login only." Almost always that password is Password1 or some other form of the word password (or if not password, it is a variation on the user's first and last name). There is also almost always a message that recommends I change my password immediately. I know there are times when I get into the site, take care of the business at hand and forget to change the password immediately. Although I do make sure the password gets changed, I suspect there are a lot of people who also forget to change the password on that first visit or subsequent visits to the site - either that, or they just don't see the point.
We see regularly that it is difficult to change employee behavior. To make sure employees change their introductory password, as well as regularly use strong passwords, employers need to step in.
For example, I've gone to websites where I was given a one-time login password and it really was a one-time password. If I didn't change during that session, I couldn't log back in. Other sites took me directly from the login page to a page that had me change my password immediately, before I could do another thing on the site. Another former employer didn't insist that I change my assigned password immediately, but I did have to change it within 60 days. In fact, at that job, I had to change my password every 60 days, and the new password had to be significantly different than recent passwords. In other words, I couldn't just add a number or change a letter from lowercase to uppercase.
Another option is to avoid using a generic first-time password to begin with. According to a Yahoo article:
Last year Microsoft decided to take a stance against commonly used passwords, as TechWeek Europe reported. If a major company, rooted in technology, can ban the use of easily cracked passwords, than surely other companies can follow suit. It seems pretty clear that users can simply not be trusted, which is probably more about having a few more than a handful of passwords and PINs to remember. Perhaps automatically generating passwords and not allowing users to change them will soon become the order of the day.
Finally, if you want to make sure your employees are changing (or setting up) their passwords to something more complex than, say, "passWord2," lengthen the number of characters required. The more characters you have, the more possible combinations. The bad guys use tools to cycle through possible combinations, and the more combinations, the harder it is for those tools to generate something that will work. As CNN Money pointed out:
While seven-character password has 70 trillion possible combinations, an eight-character password takes that to more than 6 quadrillion.