There’s a lot of writing online about passwords and a lot of experts will give you differing opinions on what constitutes a good password, in this blog I’m not going to tell you what the best is, but I will share with you some of the worst I’ve seen.
If we’re talking about a traditional Microsoft network there are a number of settings related to passwords that can be adjusted. How often it’s changed, how complex it needs to be, if you can reuse old passwords, and more.
System administrators are often asked to adjust settings to allow more simple passwords and often they do as they are asked. We should not. You shouldn’t have it too easy.
People instinctively feel that complex passwords are better and forcing a password change regularly is a smart move.
But is it really?
There is a school of thought that suggests the more complex a password the more difficult it is to remember it. I’ve seen many crimes against complex passwords, post it notes stuck in obvious places, or scribbles on desk pads. More complex means less likely to be remembered without help.
Century College offers some advice on creating a complex password; Between 8 and 128 characters, Use at least 3 of the following types of characters: (a) uppercase letters, (b) lowercase letters, (c) numbers, and/or (d) special characters, password must be unique and cannot be re-used.
If you force users to make their passwords too complex they will change their approach to remembering them, take more risks, use more post it notes.
What about regularly changing passwords though, surely that’s a good idea?
Studies show that people tend to use something familiar merely changing it a little at a time. Social Engineering experts use this to, very often, correctly guess your updated password if they are able to figure out your pattern.
Don’t use the name of your company. The location of your work. Your dog or kids name. Your birthdate. The word “password”, or “123456” or “qwerty”, or the absolute worst – NO PASSWORD AT ALL!
(I have personally seen all of those in use at one time or another)
Using the following site http://www.passwordmeter.com/ you can test a potential password. Except I’m ultra cautious, so I’m never going to type an actual password into it, I’ll just test something along the lines I might use and see.
But a good mix of the rules above generate a password that can still be memorable but will be pretty strong and moreover give a password cracking app problems as well.
JUST REMEMBER – if you have a non-network connected device the password cannot be changed other than on that device. Forget that password at your peril. This is where the advantage of a client/server network helps!
The above is a good illustration of how just cranking up the levels is not always the best deterrent.
GCHQ has issued guidance on how to best protect your systems, they do not recommend overly complex passwords, but that system administrators look at alternative options such as monitoring logins for authenticity.
As part of our Security Simplified service, Technology Simplified employ a 2FA solution. This provides an extra layer of authentication enhances network security.
We insist upon this for ALL client server access but this can also be rolled out to individual users and devices for an even greater level of security.
Whilst not the best password ever it’s a significant improvement over the standard configuration.
If you’d like to discuss your corporate security in more detail or to know more get in touch via email or call on 01726 247257