User passwords are often a weak link in the corporate security chain. How can security pros make users adhere to strong password policies?
Recent corporate security breaches have taught us something important: The average computer user is spectacularly bad at choosing good passwords.
The most popular passwords turn out to be simple, easy-to-remember ones, like "password," "123456," "monkey" and "iloveyou," all of which provide little security. If you can remember your password, then it is probably not secure.
Experts agree secure passwords should be 11 characters or more and made up of random characters drawn from a pool of upper and lower case letters, as well as numbers and special characters like "%" and ">." To understand why, consider this: Here's how long it might take a hacker to guess a password, using a computer that can make one hundred billion guesses per second:
- A password made up of six random lower case letters: a fraction of a second
- A password made up of 11 random lower case letters: 11 hours
- A password made up of 11 random lower and upper case letters: two-and-a-half years
- A password made up of 11 random lower and upper case letters, numbers and special characters: 500 years
So how do you ensure that your users choose secure passwords? While user education is helpful, corporate security is too important to rely on that alone. In a tradeoff between security vs. convenience, many users will choose a short, easy-to-remember password like 123456 even if they know that it is insecure.
Password Policy Tools
When it comes to Widows and Active Directory, Windows gives administrators the power to impose certain password policies on users when they choose a password. The policies are fairly basic, however. You can specify a minimum length, expiration period and limits on using previous passwords, but not much else.
These sorts of password policy enforcement tools can allow administrators to impose rules such as:
- Complexity. Requires passwords to contain characters from a variety of character sets (such as digits, upper case characters and so on). The required number and selection of character sets are usually configurable.
- Contained in a dictionary. Passwords must not be vulnerable to attack with a dictionary or hybrid cracking algorithm. The tools should be sophisticated enough to detect partial matches, character substitution and character reversal.
- Keyboard pattern. This prohibits passwords with keyboard patterns such as "qwerty" or "asdfasdf."
- Repeating patterns. This disallows passwords with repeated characters, such as "aaaabbbb" or repeated patterns such as "monkeymonkey."
- Similarity. This detects when a user is choosing passwords with an obvious sequence, like "password1" or "password2" each time the password is changed.
Many of these products also supply an optional client program which runs on users' computers and helps them choose a compliant password by displaying the password policy requirements.
What happens, though, when users log on to cloud-based applications such as Box, Office365 or Salesforce.com? What's to stop a user from choosing an insecure password when they are free of the policy controls that stem from Active Directory?