The emergence of social media and increasing access to personal information online has threatened the security that passwords once afforded. It’s a pressing issue at organizations of all sizes and challenging IT professionals to implement new practices and policies to prevent their data and applications from being compromised.
So, what’s the current best practice on passwords? At Marco, we recently updated our password policy. All businesses should have a password policy that establishes the rules for creating, distributing, safeguarding, terminating and reclaiming access to the company’s data and systems.
Recent hacks on popular sites such as LinkedIn and Yahoo show how easy individuals have made passwords to crack. Nearly one-quarter of the passwords hacked on Yahoo were used by more than one person. The top password was 123456, followed by “password.” Those are obvious don’ts. But even words such as welcome, ninja, princess and sunshine made the top 10 most common passwords.
In many cases, users combine recent years such as 2013 or 2008 with a base word. An analysis of the Yahoo hack identified love, jesus, money, freedom as some of the common base words.
Prevent the Hack
One of the best moves an organization can make is educating employees on how to create effective passwords. Here are some best practices when creating a password:
- Minimum length of eight characters.
- Include combination of three complexity factors (uppercase, lowercase, numeric or special characters).
- No words that can be found in the dictionary. That means no base words.
- No acronyms.
- Avoid reusing previous passwords.
- Not easily tied back to account owner.
This last one is key and the one causing the most angst among corporations in the world of social media. Today, hackers can gain access to your birthday, children’s names, anniversary, nickname and a wealth of other information through social media. None of this now public information should be a part of a password. When creating a password, ask yourself “Can this password be guessed by those who know me?”
Of course, that does make them harder to remember. But writing them down or including them in a document that is easily accessible is not a good practice. That can put the account at just as much risk as using easily identifiable information.
The Strongest Password
The strongest password is the single use password, meaning it is only used on one account. That has become almost impossible with all the logins individuals need to create in today’s totally connected environment. So, focus on creating single use passwords for highly sensitive accounts, such as banking and the main login for employees into the organization’s system.
Organizations should store passwords as confidential data and keep them encrypted. Prompting employees to change their passwords regularly can further help protect the company’s data and systems. But it also increases the likelihood of employees’ creating patterns or storing these passwords in an insecure way.
Hackers tend to work in real-time so how individuals create a password is the most critical. Organizations will be well served by providing clear direction on password creation for employees in a password policy.