Maksim Kabakou - Fotolia

Security Think Tank: Firms need to support good password practices

In the light of the fact that complex passwords are not as strong as most people think and that most password strategies inevitably lead to people following them blindly, what actually makes a good password and when is a password alone not enough?

When all else fails, blame the users. This seems to have been the approach for a long time, and even if it were always a case of “stupid user” syndrome, we have gone way beyond a time this could ever be a valid excuse for serious password failure.

Complex passwords can be strong, but perhaps we need to consider what our definition of complex is and how we enforce password policies.

We also need to consider if we have educated users, not only on how to build and manage a secure password, but also about why it is so important to do so.

If they are balking at what they consider onerous, then we need to make sure they understand why they must do what is being asked of them. While it may seem obvious to many readers, to others who cannot see the problem with a flimsy password or writing down a complex password on a sticky note and putting it on their laptop, it isn’t.

Complex Password? Let’s have a look at not only what makes a good password, but also at what is a good process and policy for password usage and hygiene.

Best practice has changed quite a lot over the years as it became evident that frequently changing very complex passwords was leading to risky behaviour that actually detracted from security and enhanced risk instead of the other way around.

The policies around passwords vary so much and some platforms insist on a regimen such as only eight characters or more, which means someone could potentially just use “12345678” and it would be compliant. Whilst this is a policy, it is a really poor one.

Naturally, starting with a good quality password is preferable. Having a system to create a password that is both high quality and easily remembered by the users is challenging. But we need to get it right, for it is this that causes the risk because people start to write passwords down, use dictionary-based passwords or use the same password across multiples sites or platforms.

We also see people occasionally using private passwords on work devices or systems – creating even greater risk. They are struggling with good reason, so we need to support them, not blame them.

Technology and policy vs user or supporting user?

We still see organisations trying to do password management in an outdated and inflexible way; relying on the technology without any form of good quality user education. How can a user learn how to pick a really good password if you don’t tell them how to pick a really good password in the first place?

We need to be consistent and using password strength indicators can be really helpful or a nightmare, depending on the thresholds dictated. For instance, controls that enforce a policy that says you require a minimum of eight characters in your password, but nothing more, means that you won’t stop someone from choosing “12345678” as a password. You may think that no businesses would allow such a policy, but sadly, you would be wrong.

If your users know the importance of what they are doing and have been given a system for devising a good password, they stand a much better chance of being able to create something secure and memorable, that they won’t write down and won’t be on the “123 password” level.

On the advice of GCHQ many businesses abandoned the notion of changing passwords every three months (or less in some cases) as it became clear this forced the risky behaviour and poor password problem even further. But not all have. So potentially you have businesses that are using poor passwords, changing them regularly, and their users have no idea why this is a bad thing.

This is before we even consider two factor authentication! In-house benefit selling of security for passwords seems to be something we have struggled with ever since we had IT, largely because we want IT to do the thinking for us. Perhaps if we had a method to share…

A method to share!

Think of a phrase, lyric, film title, quotation or question you like and can easily remember.

I am going with: “Play it again, Sam” from Casablanca. First and last letter of each word = PyitanSmCa. Add a non-letter = PyitanSm-Ca. Add the number of words in the phrase to give: PyitanSm-Ca5.

Now you need to remember the methodology because the phrase will not change. But there are no dictionary words or names and no numbers replacing letters that tend to be the biggest causes of insecurity, apart from “password1234” of course.

Read more on Hackers and cybercrime prevention

Data Center
Data Management