We’ve all done it. You are in a hurry for a lunch meeting and you want to check your email one last time and up pops a friendly, admittedly annoying, reminder that your password is about to expire. You click “OK”, check your email and dash off to lunch.
This charade continues for a few days until finally, you have to change your password. You have thought about this one long and hard (nope) and you have the perfect, most complex (simple) password that is 14 (8) characters long. Your compliance officer would be so happy (mortified) if they only knew.
Does this sound like you, because it sounds like me. Here are five password policy mistakes that we all make that are totally avoidable if we are properly educated.
1- If I make a policy everyone will follow it.
As much as we all this were true, if you do not have a system in place to ensure password policy compliance there is a good chance that many of your users are using non-compliant and/or weak passwords. This is not only a threat to the user’s workstation, but to the whole network.
2- Recycling old passwords is fine as long as it has been more than six months.
No way, man! We should never be recycling old passwords. As a wise man once said, “The past is in the past.” –let’s keep it there. Stretch those creative muscles in your brain and use something new and policy compliant.
3- Requiring at least eight characters makes passwords un-crackable.
Woah! Who told you that? It is true that the longer a password is the more challenging it can be to crack but just because a password is eight characters does not mean it can’t be cracked.
4- The longer the password the better.
Okay, so I just told you the longer a password is the better- but that doesn’t mean that a long password is the best password. Passphrases are great things, but “I love my dog” is a little bit easier to crack than “J4d*V2l”.
5- The more requirements a policy has the safer it is.
Sadly, no. The more requirements your policy has the more frustrated users will be and the less likely they will be to follow your policy.
So now what? I have just crushed all your dreams of ever having a good password policy- fear not! I have a solution.
1- Make sure there is a way to enforce your password policy.
Just because you make a rule doesn’t mean everyone will follow it. Make sure you have a system in place that will enforce your password policy.
2- Educate users on why it is important to have a strong password (hint: to keep secrets secret).
If users don’t see a reason to have a strong password they will be less likely to create one. Make sure your users know that there are many ways hackers can get into your network and having a strong password is a way to protect the company.
3- Remind users that using a memorable password that is strong is better than using a crazy password.
Having a password that has a bunch of crazy characters might make it difficult to crack, but if a user can’t remember all their crazy characters then the password is useless. Encourage users to choose passwords that they can remember, but that aren’t so easily guessed.
4- Make your policy requirements realistic.
Requiring 25 characters with three upper case letters, two numbers, and one special character might make a strong password but it also will make your users frustrated. If you need to require a lengthy password policy try to only make it apply to domain controllers and upper level management, this way you are protecting those that have clearance to the most data.
5- Check up on users that have not logged on in a while and make sure they have been disabled.
Users on your network that haven’t logged on for an extended period of time are one of the biggest forgotten threats. Make sure to regularly check your network and disable any users that haven’t been in use (we recommend about every quarter).
To learn about products that can help enforce a granular password policy check out www.nFrontSecurity.com