With modern-day corporate firewalls doing a pretty good job out of the box protecting corporate network perimeters, hackers have turned to cracking legitimate user email and network accounts. As a result, many corporate networks, banks and other online service providers are now requiring their users to use so-called “strong” passwords, and to change those passwords a few times each year.
We have seen some clients resist enforcing these kinds of policies. Let’s face it, it’s hard for an IT Director to march into the owner’s office and demand s/he change their password to something totally indecipherable. A few months ago, our last holdout client found their business at a standstill when they couldn’t send email any longer. Turns out, someone from Poland (the country, not Maine…) had guessed/cracked correctly a user’s Exchange email password, and had spent the weekend sending out tens of thousands of spam messages from their Exchange server, which was now blacklisted. We got that fixed, shared with them our best practices for “strong” passwords and password rotation, and Bob’s your uncle…
What most people don’t realize is that “strong” or complex passwords can be very easy to remember AND be very difficult to hack–all at the same time. First, the scary part: what is a good “strong” password policy?
Our view is that a good “strong” password policy should require that passwords have a minimum of eight characters, and at least one each of an uppercase character, a lowercase character, a numeral, and a punctuation mark.
If your name is John Doe, an easy-to-remember strong password might be “j0hN;d0e55” where the letter “o” is replaced by a zero.
If you are feeling particularly clever, you can use a phrase as a password, like “2mUch!cE” (“Too much ice”).
Although these are easy to remember, different sites will have different policies, requiring you to use different passwords. At some, point, you won’t be able to remember them all, so using a good password manager (protected by a strong password please!) will be needed. Our favorite password manager at the moment is KeePassX, which runs on Windows, Linux, Macs and Blackberries.
What is not a good idea is to allow your browser to remember your passwords for you, especially if you use a laptop. In the first instance, the encryption the browser uses isn’t all that strong, and if your PC/laptop is stolen or swapped out, you’ve not only lost your passwords, you’ve effectively just given them away.
Similarly, using an unencrypted spreadsheet for passwords isn’t a great idea either.
One dirty little secret is that the overwhelming majority of corporate security breaches these days are perpetrated by insiders, not outside hackers. As a result, many sites are requiring users to change their passwords every few months as well too.
Using easy-to-remember but strong passwords goes a long way to protecting your personal and your company’s valuable data. When things get too complex, a good cross-platform password manager can help keep things straight as well.
If you have any questions about your company’s password policies, please call us at (207) 772-5678.