Bad passwords make security worthless!

Bad passwords make security worthless!

You can have the most secure infrastructure in the world, but if someone gets your username and password, all that security is for nothing. We at SMIT do our best to prevent malicious breaches for all our clients’ IT infrastructure. Despite following the best IT practices for software security, monitoring for issues, and patching software, a hacker could have access to everything if they obtain your login credentials (username and password). Once that happens, there is little you can do until we (or your IT Support Service) change your user password. So, after managing a business’s IT infrastructure, we still need to make sure that users are vigilant of their login credential security.

Over the past 5 years, academic security experts have written extensively about the importance and usefulness of strong end-user passwords. Nonetheless, IT administrators know all too well that end-users don’t want the extremely secure random 30 character password, such as r#Z2p$zv}V~LetZ^wH+q%vnMu”pzdh. However, security research suggests that the most important guidelines for password creation are as follows:

  • Important login passwords should only be used once. The following online login credentials are most often considered important, but you may include more:
    • work login (work computer, work accounts (e.g. RDP access))
    • email login (work email, Gmail, Yahoo Email, Hotmail)
    • banking/credit login
    • internet service provider login (e.g. Comcast, Century Link)
    • Phone/cell phone service login (e.g. AT&T, Verizon, T-Mobile, Sprint, etc.)
  • Passwords should not consist of only phrases among literature
  • Passwords should not be among the top 25 most common passwords (or slight modifications thereof) see https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
  • Passwords should consist of 14 characters or more to reduce the chance of password cracking success
  • Passwords should consist of a combination of uppercase, lowercase, alphanumeric and non-alphanumeric characters
  • Passwords should be changed once a year

Therefore, my common recommendation following the above criteria for end-user password creation is

  1.  two non-associated words that compose a mixture of upper and lowercase alphabetic characters
  2.  at least 5 numeric characters
  3.  at least one non-alphanumeric character
  4.  a total composition of at least 14 characters
  5.  all components placed in a non-predictable sequence

Examples of how to create strong passwords are shown below, which follow the above criteria:

  • Green Porcupine; 83992; % = 839Green%92Porcupine
  • Space Tea; 22137; & = &Space2213Tea7
  • Novel Practice; 44208; # = 44Novel2#Practice08
  • Blimey Tractor; 38393; * = 38Blimey3Tractor9*3
  • Elephant River; 62577; ! = !Elephant62River577

If you follow the above criteria for password creation, keep passwords a secret between yourself and your IT organization (SMIT), set password policies to force users to change passwords once-a-year, then your IT infrastructure and digital persona will remain secure.