Strengthen Security With Smart Passwords

Your employees’ computer passwords are the keys to your information kingdom. If someone can, in effect, impersonate one of your employees, he or she can gain entry to your company’s vital information. Imagine your financial information, your personnel and HR data and your confidential customer data all on display. The hacker not only can view all this information, but can also change it, send e-mail in an employee’s name, introduce viruses into your system and generally inflict all sorts of havoc on your company.

You may have implemented all sorts of advanced security systems at your company, but you should also ask yourself a simple question: Are the employee authentication methods I’m using appropriate for my business? Often the weak link in security is employees. Well-meaning workers share their passwords with other employees, pin up passwords on Post-It notes on their monitor and generally take this matter too lightly.

Good password security starts with strong passwords. It’s important that workers understand the basics. A strong password simply means any password that could not be easily guessed by a user with malicious intent. Today passwords are susceptible to sophisticated brute force attacks, which use a computer program to systematically guess password combinations until the correct password is found. For example, a simple four-character password using only lowercase letters has 456,976 combinations. While this seems like a high number, computers today can easily generate a million password combinations per second. This means your four-character password will be cracked in less than one second. Fortunately, having good password practices can prevent brute force attacks. Strong passwords are a numbers game, and by adding uppercase letters, numbers and symbols — known as the full ASCII character set — you can exponentially increase the combinations needed for a brute force attack to be successful. For example, an eight-character password using all keyboard characters has 7.2 quadrillion combinations and would take the same computer that cracked the four-character password instantly over 228 years to crack.

If they are not comfortable with adding complexity to their passwords, they should try using a passphrase. Passphrases are generally much longer than a password, but not particularly complex. Try using the slogan of a favorite product or corporation that’s easy to remember. For example, the passphrase “The Resource for Small Business” has billions more combinations than a typical eight-character password and is not easily forgotten. Another way to greatly improve your password habits involves character substitutions. Take a simple password and replace all the a’s with @’s and all the e’s with 3’s. Using this technique, an easy-to-remember password like AidanMichael would be transposed to @id@nMich@3l. This password, while complex to the naked eye, is very strong and easy to remember.

There are also things you can do at a company-wide level to help secure your accounts. First and foremost, your organization should have a well-defined password policy. Organizations should enforce a minimum password length. Generally speaking, eight-character passwords should be the minimum length permitted. Microsoft Active Directory and other network administration programs provide the ability to enforce password complexity. This will ensure that passwords include at least one number, one symbol and upper and lowercase letters. The policy should also cover password aging, which will force your employees to change them after a predetermined amount of time. The best practice is to require a password change every 30 to 90 days.

At first employees may balk at the idea of changing passwords so frequently, but if they can come up with a system for altering a standard password, it will be easier to remember it without, say, writing it on a Post-It note. For example, a password with a 10-character minimum, where the first eight characters stay the same and the last two change (perhaps sequentially adding numbers to the base password, like 01, 02, etc.) is a practical way to provide more security without overly burdening your workers.

IT departments should also implement a lockout policy and automatically disable an account after a predetermined number of incorrect log-in attempts are made. Once the threshold is reached, the account will no longer accept attempts to log in until the account is “unlocked” by an IT administrator. Always use caution when implementing a lockout policy and ensure that the threshold for incorrect attempts is appropriate. This will allow the end users some time to adjust to the policy change and minimize the impact on your IT department. Ten wrong attempts in 30 minutes is a good place to start.

Companies that want an even higher level of security may want to consider some advanced technological solutions. Typically these solutions rely on two or more methods of authentication, also known as multifactor authentication.