Sunday, May 24, 2009

Working Everyday to Make Passwords Totally Insecure

When it comes to password security policies bigger isn't always better. IT departments and administrators need to find that level of password zen where passwords are long enough, complex enough, and changed often enough that they are secure. If any of these levels are out of whack the users will simply write their passwords down on a post-it note or in a planner and leave it for anyone to find It is my guess that in 4 out of 5 organizations that you can walk into any office and in less than 5 minutes you can find all of the users login and password information.

Some companies are using a password policy as follows:

1. Must be 12 characters long or more
2. Must contain at least 1 capital letter
3. Must contain at least 1 number
4. Must contain at least 1 special character
5. Cannot be a dictionary word
6. Password expires every 30 days

This policy equals disaster and security failure. Yet I know of numerous organizations out there that are using, Here is a far more realistic and therefore secure password policy.

1. Must be 6 characters long or more
2. Must contain at least 1 capital letter
3. Must contain at least 1 number
4. Must contain at least 1 special characte
5. Cannot be a dictionary word
6 Password expires every 60 days

Two very minor changes and I guarantee users are far less likely to write these passwords down. Bottom line; put some thought into your password policy before you put them in place, and be consistent across your applications and websites, and use single sign-on technologies whenever possible. Encourage users not to write passwords down and teach them how to choose good passwords.

Posted by: Joshua Nicholes
www.joshnicholes.com


No comments: