Sep 18 2013

6 Ways Businesses Should Never Manage Their Passwords

Don’t let bad password practices creep into your organization.

People hate passwords. In fact, lots of people dislike IT security of all types. Some managers are lax about enforcing password security policies or avoid security themselves. This leads to some embarrassingly bad password management.

If you see your company in one of these examples, change quickly. You wouldn’t leave the keys dangling in the ignition of your company vehicle, so why leave giant holes in your corporate IT security?

Here are 6 ways businesses should never manage their passwords.

1. Allow Real-Word Passwords

The most commonly hacked password according several “worst password” lists is “password.” If you allow real words to pass through your password filter, you will have unimaginative users defaulting to the most obvious term that comes to mind. Other foolish password choices include the user’s first name or “rockstar.” You might think you’re a rockstar, but using that word as a password will make you nothing but a malware groupie.

2. Allow Short Passwords

One thriller made into a TV movie hinged on the bad guy using "1" as his password, since no one would ever guess such an insecure password. While it might be cute in fiction, in reality, using short passwords is a completely wrongheaded approach to fooling hackers. By making passwords at least eight characters, you can help make the guesswork a little more difficult.

3. Avoid Checking for Adjacent Keystrokes

Even when you impose a length, users often default to the string of characters that their fingers rest on. So you see lots of passwords with "123456" or "asdfjkl;" in them. Sure, the second example does include a symbol, the semicolon, which is good. Every password should include some combination of letters, numbers and symbols, or two of the three.

4. Allow Passwords to Be Managed by Random Slips of Paper

Between Post-it Notes on monitors and slips of paper hiding under the keyboard or in the top drawer, passwords are often written on whatever is close by. Yes, it even happens in the executive suite. Often, the most senior executives are the least likely to believe password rules apply to them.

5. Allow Password Sharing Among Coworkers

The fact that you can never track a data breach when multiple people use the same password should be one of the leading reasons you nix this horrid idea in the bud. Don’t worry about busting up password friendships; just don’t let them happen in your company.

6. Assign New Long, Complicated Passwords Every Month

One way to really tighten security is to issue new passwords to each user each month, preferably constructed by a random character generator set on Torture Mode. What could be more secure than l398FU48#@876lsdfo**? Almost anything, because a user will never remember that, even if by some miracle they can read it. Are those lower case L's or ones? This is why password resets are the number one help desk call.

Pity the user — they have passwords with random rules in all aspects of their personal life. Some security-challenged banks won't allow symbols; one website won't allow more than eight characters, while the next one won't allow less than eight.

While security is of the utmost importance, making password management overwhelming and burdensome to the user is just as bad as having lax management policies. It's confusing out there, so make it easier for your users to follow password policies by ensuring that they protect but don't penalize. Better password management helps us all.