Recently, a co-worker remarked on the number of passwords he had to reset during a weekend on-call quite humorously as ‘International Password Reset Weekend’. Shortly thereafter I received an email notifying me “World Password Reset Day” was coming, a glorious occasion to celebrate personal computing security by reminding people they need to reset their passwords. While I found my co-worker’s witty phrase and the coincidence of World Password Reset Day quite funny, I don’t think one day is quite long enough.
Through my time working the phone as a support technician, one of the many hats I wear, I have learned that people generally disregard password safety. The either expect the rest of the system to handle security, or they simply don’t want to be bothered with it as they feel the extra burden of keeping up with a password may somehow offset their tasks to the point they may never catch up as long as they live – kind of like that guy in traffic who has to speed around you and cut you off to make a turn he could have just as easily have made by staying behind you. When you combine an increased focus on electronic healthcare and self-service medical record access with more pervasive malware and concerted network attacks against networks which store financial and medical data, this sort of mentality can lead to disaster. Despite the increased sophistication behind network attacks, the old tried-and-true methods such as finding an unattended workstation, dictionary attacks, and social engineering are still real threats.
The bottom line is you need to have strong passwords, and they need to be changed frequently enough to help foil would-be attackers who may have compromised an account name or even discovered the password. Common guidelines now suggest using 12 to 14 character passwords; however if you have more than 2 systems which all of your users access and do not have single sign-on (SSO) implemented you’ll just create more problems and headaches with passwords of this length. There is a high likelihood they will be constantly mistyped or forgotten, or written down somewhere which can be easily accessed. Then you add changing them too often into the mix and not only do you magnify the issues discussed already, you also have a harder sell for your security strategy and less likelihood of compliance. Even though NIST is now stating that even 14 character passwords won’t hold up for more than about 10 minutes to a concerted attack by modern computing systems, we still live in a world which mostly uses usernames and passwords for authentication. It is essential to create a sound strategy which includes strong passwords and required changes, and to educate users on password security. Make sure they understand it’s not just for work, but a strategy they should use in their personal lives.
- Passwords should be 8 characters or longer (longer is better, but again – a hard sell without SSO)
- Passwords should be a mix of characters (caps, numbers, etc)
- Passphrases – multiple words combined or the first letter from each word in a sentence – are highly recommended
- Change the password every 90 to 180 days (changing too often can actually weaken security)
- Do not use the same password again in the same system, or on the same website
- Do not create a “single point of failure”:
- Use a different password for each system or website
- Do not store passwords in a manner which would make compromising all data easier, i.e. keep the passwords for applications and sites accessed from your computer on your phone, and vice versa
- Do not store the usernames with the passwords
- Never share a username and password with someone else for any reason (it might hurt your IT support’s feelings, but be wary of sharing with them, too)
Of course there are other options to consider if you’re an administrator, such as account lockout policies, but such parts of a strategy are more about notifying a user the policy exists and less educating them about password safety so we’ll save that for another time. Some of this can be enforced by policy, but reaching out and educating users must be part of any strategy you want to succeed – they really have to buy in if it’s going to work. To do that you certainly need more than a day, and in all fairness you’re probably going to need more than a week.