Passwords are the most fundamental part of a system’s security. Since the beginning of the net though, those digital keys to your palace have seriously lacked the handling that you have demanded.

Look, I don’t mean to call you out, but your keys can be anyone’s keys. And what is worse, you are likely the culprit in making those passwords crackable and hackable.

Don’t believe me?

Let’s look at some history…

But before we do, here is our TL;DR.

  • Passwords have never been secure (password & 12345 ?!?!?!)
  • Today, they aren’t (password and 123456 ?!?!?!)
  • You can help to make them more secure
  • Create a password and security policy
  • Never think a password or policy is 100% secure, safe and unhackable!

Okay, let’s talk some historical password fun, shall we?

UPDATE: Some of the principles outlined in this article are considered to be dated and/or minimalist as of 2017. Please be aware that this article is meant to be a very fast guide as to the basics of passwords and password policies. In the future, we will be looking at more in-depth concepts and methods of passwords and security.

A brief history on passwords and file security

Since the beginning of the internet, we have used computers for every brand of login. Password usage for security was occurring before this, however the internet was when hacking became “real”.

And what was the most used password in the 90s?

If it’s in a movie, it has to be true, right? So here is a scene from the 90s movie Hackers…

  • love
  • secret
  • sex
  • god

Those password seem to make sense. They are memorable, daily observances of our human selves, right?

At the time, there was an even larger problem in password security, beyond these simple and recognizable words.

The top passwords were actually password and 12345. These were not only user passwords, but even ne electronics and IT components defaulted to either of these, or some parts and pieces of either or both.

What’s changed? What are the top passwords today?

Password security of today is not any more secure

Splashdata released its “Worst Passwords of 2015” without much change to the most used passwords. The passwords 123456 and password were found to be the most most used passwords (their study used over 2 million leaked password from the year from various sources).

The top ten used passwords in the study just are appalling for your security.

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

These passwords are still in use, even locally.

This is a reason that some services automatically reject passwords that are common. Some, in fact, reject passwords with items like your real name, street address, email and their brand name in them.

Password security help

One of the most simple pieces of the password security puzzle is to force users to not have insecure passwords. A password policy is a great start. A full security policy is even better. And, doing both, no matter the size of your business or organization, is crucial.

At PerfectShare, we are focused on your business security and password procedures. Our password policy recommendations can be used in your business today, and can remove the most common security issues of many organizations.

Make your passwords longer

The simple fact of easy to guess passwords is that they are just too short.

Think about the math involved with the systems that we all deal with everyday. What are your systems that each have passwords, PINs and security phrases?

  • Email login(s)
  • Computer login(s)
  • Mobile phone login(s)
  • Google account login
  • Facebook login
  • Twitter login
  • LinkedIn login
  • Bank login
  • Retirement plan login
  • Bank PIN code

These are primary logins and PINs, but there are MANY more that I’m sure that you use daily, weekly or more. And, with all of those passwords, its likely that you want simplicity. It is likely that you opt for the minimum passwords. It is likely that you use 6-8 character strings that are basic names, number sequences or a mix.

For their security, let’s look at the exact combinations involved here. A brute force attack will start with a vocabulary table and number sequences. If you have a weak password (your name, a child’s name, a pet’s name, a birth date, a number sequence like 1234 or more, etc), that password can be guessed in under an hour.

Let us assume though that you didn’t do this. Instead, you decided to create a password of all lowercase letter in English at 8 characters long. Your password is 26^8, or over 200 billion combinations.

Now, let’s make the password a bit longer (and still assuming only the 26 lowercase English letters) and see the results:

  • 10 characters – over 140 trillion combinations
  • 12 characters – over 95 quadrillion combinations
  • 14 characters – over 60 quintillion combinations
  • 16 characters – over 40 sextillion combinations

Simply by doubling the character length of the passwords we choose, we see a multiplier of about 200 trillion. That is correct – by increasing our passwords from 8 characters long to 16, we are multiplying the possible outcomes by 200 trillion possibilities.

Make your passwords have a different makeup

Password length isn’t the only change that you can make. Changing the allowed password characters also alters the possible outcomes.

for this example, let’s take the same 8 characters string. However, instead of only lowercase letters in English, let’s increase our possible characters.

  • Include lowercase letters
  • Include uppercase letters
  • Include all numbers
  • Include special characters like ()[]{}><,.?/~`!@#$%^&*_-+=|

Now we have 8 slots, but we have 89 characters. 89^8 = over 3 quadrillion.

This is a MASSIVE improvement.

One thing to mention, when we look at the “include at least one of the following” in the rules, we have to remove a few of the possibilities, and end up with something closer to 2 quadrillion combinations.

Combine longer passwords, with more characters

Longer passwords, made up of more characters and types, are harder to remember; but they are also much harder to guess. And this is the whole point of passwords and security.

For our example, let’s look at using a 16 character length string minimum, with the characters outlined above.

We have 16 slots, with 89 possible characters. That is 89^16, or 15 nonillion combinations (a 15 with 30 zeros after it). When we remove some possibles based on the “include at one of the following rules”, this number gets close to 4 or 5 nonillion that 15.

These are large possibilities that take a long time to figure out. This is good for keeping your passwords secure.

Speaking of passwords, in the plural…

Use a unique password for each login

People like simplicity. However, security and simplicity are not the best couple. They don’t get along, and the laugh at how well oil and water get along.

For many, using one password for all (OPFA), makes sense. You can use an extremely complex password (good security!) and use it everywhere. You have only one difficult thing to remember, everywhere.

“So, what’s the problem with that?!”

The problem is if that password is discovered, hacked, or even if you give it out (yes, that actually happens), whoever gains access to it now has your login EVERYWHERE. Think about some of the places we discussed using passwords and logins earlier. Your bank is now hacked, your business accounts arenow hacked, your FTP and Database are now hacked – it’s a recipe for destruction.

Instead, use a single password for a single login.

And, for every new location, create a new password.

Change your passwords (for compliance and safety)

PerfectShare recommends changing your password often. There are many reasons for our arguing for this, but the best comes from outside sources.

For organizations wishing to follow compliance standards like HIPAA and PCI-DDS, your passwords MUST be changed as often as monthly. Other standards demand bi-weekly changes, and otherwise are even sooner.

How often is enough? And, what do we recommend?

For most organizations, using a monthly policy of password change is enough. We recommend changing your passwords as often as needed, and sooner. So, if you need to change your passwords monthly, instead, do it two times a month. If that, then move to weekly changes.

But your employees do not want to change that often, or you cannot force them to doing this?

If this is the case, use the trickle down approach. The people with the most sensitive data at their fingertips should be the ones with the highest security standards to meet, correct? Owners, managers, supervisors, project managers, etc., all should be using the highest security policies. Lower employees should be held to some password policy or security policy, but it need not be as defined.

With all of this said, there are some arguments against changing your passwords often. However, because of compliance standards and regulations, the task is still needed and recommended.

What else should you know about password security

Today we looked at a few areas of password security for your organization. We covered the increases in security based on length choice, makeup and combinations of the two. We also looked over the damage a single password across multiple logins can do. We also covered the benefits of changing your password often to deter long-term infiltration.

In the end, no matter the article on password security that you read, nor the extent that your organization goes to to meet the regulations of your industry, there is always a possibility of an illegal entrance into your system. Someone uses social engineering or fishing tactics, a hacker or group uses a brute-force tactic to gain or entrance, or even someone giving their password to a co-worker or someone else can, and does, happen. All. The. Time.

However, as difficult as password security, and business security to that end, can be, you still should have a password policy in place. These can be as simple as using unique passwords that are least 12 characters, or complex using mixes of letters, numbers and special characters.

And remember: never assume any password is 100% secure, safe and unhackable!

Summary
If your password is pass123 or 123456, go ahead and change it to
Article Name
If your password is pass123 or 123456, go ahead and change it to
Description
Passwords are the most fundamental part of a system's security. Your business security is only as reliable as the people and policies used on them.
Author
Publisher Name
PerfectShare
Publisher Logo
Comments are closed.