From paying for your morning coffee with your debit card to accessing your Facebook account, passwords and personal identification numbers are a part of everyday life. As an IT professional you perhaps preserve your company’s security with a policy mandating that all users change their passwords regularly. But how often does your helpdesk field calls from users who have forgotten their new passwords? Or worse, how many users have had their passwords compromised?
The more passwords users are required to remember, the more likely they’ll create weak passwords that are easy for hackers to crack. They will also likely reuse the same password for multiple sites.
Security company Trusteer found that 73 percent of bank customers use their online account password to access other websites. What then is the likelihood that they’re using the same passwords to access your corporate servers? The need for stronger passwords is clear. We’ve compiled some dos and don’ts on creating strong passwords. Be sure to share this list with your users.
- Don't use words that can be found in a dictionary of any language. Hackers could try to guess your password using dictionary attacks based on words in the dictionary.
- When creating four-digit passcodes, don't use number combinations based on personal information. Numbers, such as your wedding date or the birth date of your child, could be easily discovered.
- You’ll create stronger passwords if you include numbers and symbols but don't use them as most people would. Password guessing software would easily figure out that you've switched @ for a, or added ! at the end of passwords.
- Don’t force users to change their passwords too frequently. The jury is out on how often users should change passwords. Renowned security guru Bruce Schneier believes people who are forced to change passwords regularly are more likely to choose weak passwords because they’re easier to remember. The better goal should be to encourage users to create strong passwords that are unlikely to be compromised in the first place.
- Choose a password that is 8 characters or more.
- Many security experts suggest using a word phrase to help you create strong and memorable passwords. For example, instead of using your favourite colour pink as your password, let's use pink in a series of words that you’ll remember. That could be "the colour of the walls in my bedroom is pink". Your new password could be the first letters of each word: tcotwimbip.You could make this even stronger using a combination of upper and lowercase letters, for example: tcOTwiMbIp. Better still would be to use a combination of letters, numbers, punctuation and symbols: ?tc0T4w!M1bIp.
- Choose letters, numbers and symbols from the entire keyboard, not just those you use or see most often.
- Check the strength of your password at Microsoft's® Safety & Security Center. The checker doesn't collect, store or transmit your passwords; it only rates them according to their strength.
- Change all default passwords. Those include factory-generated passwords in new devices, passwords generated by IT, and passwords generated by your password reset requests.
- Take the time to create strong passwords for the sites that you really care about. Those could be your corporate systems, banking sites and your social media accounts - places where hackers could do serious damage if they were able to gain access.
- If you want to change passwords every month try this method as suggested by Farhad Manjoo writing in Slate. He begins with a base sentence that allows him to change certain sections each month for specific sites. For example, the base sentence It's 20 degrees in February so I use Gmail would yield the password i20diFsIuG (using the first letter of each word and the numbers). During September (the ninth month of the calendar year) the sentence would be It's 90 degrees in September, so I use Gmail (for a password of i90diSsIuG).
- Just as your users probably don't leave their door key under the mat, your users shouldn't tape their password to their computer screen. Blogger JetCityOrange suggests storing passwords on storage devices and keeping that off-site under lock and key.
How long would it take a hacker’s computer to randomly guess passwords of six and nine characters?
• 10 minutes if it’s all lowercase
• 10 hours if it includes uppercase
• 18 days if it contains numbers and symbols
• 4 months if it’s all lowercase
• 178 years if it includes uppercase
• 44,530 years if it contains numbers and symbols