The Importance of a Strong Password Policy
Password policy is one of the most overlooked aspects of information security in many businesses today. How many times have you seen a user with a password like ‘apple44’? These kinds of passwords are ripe for cracking and data breaching. We explain why a strong password policy is so important.
If you control access to your information system with accounts having a user name and password, you should keep in mind the importance of keeping comprehensive and strict password standards. One of the most often-overlooked yet crucial elements to maintaining the security of your information assets is protecting the passwords of the users who interact with the system.
Failure to implement strong password rules means that system users may be allowed to enter passwords that are short in length, based off a simple dictionary word, or based on something easy to guess such as their first and last names followed by date of birth.
Weak passwords are extremely vulnerable to cracking techniques such as a brute force attack, in which a cracker uses an automated tool to try every single possible password or key until the correct one is found. Brute force techniques are extremely effective at cracking short passwords or passwords in a limited search space (such as those based off a dictionary word).
There is a form of brute force attack designed to crack passwords extremely quickly if the attacker has an idea of the search space (ie. if the attacker has a rough idea of the password requirements of the system they are attempting to crack). In a variation of the brute force attack called the dictionary attack, a potential attacker will use a pre-defined list of words (such as all the words in the dictionary) and cycle through all combinations of these to attempt to gain access to the system.
The dictionary attacker will sometimes add numbers onto the end of each dictionary word to pass the requirement that numbers be used in passwords. For example, the attacker might try the following series of guesses using a brute force tool: “aardvark”, “aardvark01”, “aardvark02”, and so on, until every word in the dictionary is exhausted.
This is why it’s especially important to not allow users to use a password that is based on a dictionary word, even if the word is followed by some numbers. It is estimated that a modern computer needs only 7 seconds maximum to crack a password that is 8 characters long based on a dictionary word using brute force techniques.
On the contrary, a password that is 16 characters long, is case sensitive, and uses numbers would take the same computer 4,416,658,052,197.2 years to crack. It should be obvious, then, to try and make your passwords as long as possible and ensure they are not based on a dictionary word.
An effective password standard for any organisation, though, must serve its primary purpose of helping to protect the organisation’s key information assets whilst also minimising disruption and inconvenience to employee activity. The last concern is a real one. It might seem a trivial matter, but enacting a password policy that is too arduous can significantly impact the organisation’s productivity levels, as corporate help desk staff are forced to respond to forgotten password requests. Indeed, a study by the Giga Information Group indicates that over 30% of helpdesk costs are related to forgotten passwords.
In addition, enforcing a password policy that requires users to enter an overly long or complex password means they will often resort to writing the password down on paper or elsewhere, leaving a potentially large security vulnerability if the paper becomes lost or stolen.