An article at TechRadar last week noted the work of Dr. Jeff Yan, a professor at Lancaster University. Dr. Yan used a database of email passwords stolen in a Yahoo data breach to find the 10 most common passwords. These passwords are about as terrible as you would expect – “123456”, “password”, and “welcome” topped the list. And while your company’s group password policies are unlikely to allow any of these (if they do, please change this immediately), it’s a good jumping-off point to discuss password policies in general.
What’s most important in a password policy? Each element of a password policy is designed to protect against different types of threats. Here are three elements which can protect your network, and why they should be present.
Requiring a combination of numbers, uppercase and lowercase characters – This isn’t just here to keep your users forgetting their passwords (although it’s very effective at that). Passwords which have all of these elements require more attempts to guess correctly. Password length has a similar but even greater effect – long passwords are very difficult to ‘crack’, or guess correctly by attempting repeatedly until you get a correct answer.
Requiring passwords to be regularly changed – Although passwords are mostly kept secret, they become known to more people over time. This is especially true if people use similar passwords for multiple websites, or network logins. Requiring a change every six months keeps passwords a moving target instead of a stationary one, so slow data leakage is less likely to turn into a compromised network.
Requiring two-factor authentication for sensitive data – Two factor authentication requires having access to an additional device or email account in addition to your password. For instance, after entering your password, an additional single-use password is sent to an email address or texted to your phone, and you have a short period of time to enter this password as well. With two-factor authentication, even if someone has stolen your password, they cannot access your account unless they have also taken control of your email account or phone. Although this can cause slightly lower productivity, it is much more secure than standard passwords. Using two-factor authentication for sensitive information makes it less likely that it will leak out of your company.
To learn more about how our Managed Services will improve your network security, call 919.779.0954 or contact us online.