Ah, the poor password. We love it. We hate it. It’s the most maligned thing in our daily lives. Whether you are at work, home or on the road, you use multiple passwords a day. It’s the most common way we have to provide secure access to computers and applications.
Because we have so many passwords and we have to remember them, most of us are still in the bad habit of creating ones that are easy to guess. This happens for personal and business accounts. It’s one of the reasons that important systems are hacked.
A case in point is the recent data breach at the Utah Department of Health where at least 780,000 people’s personal information was compromised. According to IT officials investigating the matter, hackers got into the system because of a configuration error at the authentication layer of the server. I think that’s corporate speak for someone was using a default admin password or one that was easy to guess. If someone was guessing, the system should have locked out the account after a certain number of failed attempts.
Unfortunately this is more common that people realize. When organizations deploy servers, applications, printers, routers and a variety of other devices, many of them have a default password. It might be admin, default or sa. It’s there to provide a starting point so a user can log into the system and configure it. Many people don’t change the password or they create a new one that’s just as easy to guess. Examples include password, someone’s name, 123456 and countless others.
Another related issue is too many people have administrative credentials within organizations. I remember working with a company years ago that had very strict rules for who had admin access and when they were to use it. If a user needed administrative access to a system, that person had their own admin account. It was against policy to share accounts. The person would only log in with an administrative account to perform administrative functions. Once finished, they had to log out. They had a separate account for standard user tasks.
They also had a policy for two factor authentication for certain functions. This relied on 2 users each having half of a password. When needed, the two people had to be present and each would key in their half. Today, there are many other two-factor authentication systems that don’t rely on 2 people, but require separate steps. These are more efficient and secure. Think about the voice print and retina scan system at the CIA in the first Mission Impossible movie with Tom Cruise.
The fatal flaw with the current password mechanisms is that we need something that isn’t obvious, but something that we can remember. Some of the simplest ways to create a more complex password is to use upper and lower case alphanumeric characters plus a number or symbol. Unfortunately those can be hard to remember. It turns out that it’s more important to use a long password rather than a weird combination of characters. Each additional character adds an exponential layer of complexity for a brute force dictionary attack.
That means that using “Pa$$worD” is much weaker than “IwishIhadamilliondollar$”. If you are limited to a certain number of characters, make sure you pick the longest password you can. Use a phrase you know, but add something random into it like a symbol or a few punctuation marks. I also like adding spaces into passwords, because most people and hacking programs assume that a password is contiguous. Unfortunately many online password systems won’t allow spaces or symbols.
Businesses at a minimum need to ensure the following:
- Do not use default passwords
- Only people who need to perform administrative tasks regularly should have admin accounts
- After 5 or fewer failed login attempts, a system locks out the user
- Change passwords every 90 days, at least
- Do not allow simple passwords, such as the user name, “password”, etc.
Make sure you don’t use the same password for everything. If a criminal gets one they can access a lot of systems.
Until the computer industry comes up with another authentication system as simple as the password, we are stuck with them. Make sure you use a little common sense when choosing yours. Because if someone has the keys to the castle, it’s very easy to bypass all the locks.
Photo credit marc falardeau
