IT security is built on a simple premise, that your accounts are de facto secure, and that a malicious person would need to do some form of advanced action to gain access to your system. A username and password are usually the end goal, and if these are guessable by a human, without any computer-based actions taken, any other security is basically void. So, let’s talk about a couple of basic password tips for you all.
To enforce change or not
The old adage is to change your password once every now and then, usually about every 3 months. However, this is actually advice that has changed. As of about April this year, the National Institute of Standards and Technology, or NIST, a US government organisation gave advice to suggest that password policies should not enforce change on a regular basis arbitrarily, but should if there is evidence of a breach of your IT solution. [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5] This is because by forcing multiple passwords on users, they usually just pick something weaker anyway. Having one really solid password is infinitely better than having 10 different weaker ones.
When setting a policy, it’s important to ensure and enforce that users select passwords that are powerful. This means being lengthy, as well as having a mix of letters, numbers and special characters (such as ! , / * and so on). You can see the effects of having a long password at https://howsecureismypassword.net/ – where whilst we wouldn’t recommend putting in your actual password, you can see clearly the difference in how long it would take a computer to crack a password of different complexities.
Password history and re-use
Passwords when changed, should not be the same as those that have been in place by users recently, in terms of password instances. For example, if you have three passwords in a year, P1, P2 and P3, with P1 and P2 becoming compromised because of potential security breaches, would you want your user re-using P1? The obvious answer is no, and hence your password system should prohibit such a thing from occurring. Further, the same password shouldn’t be used for multiple logins, since that creates another layer of insecurity. If one part of your system is compromised, being able to ‘contain’ that breach is valuable, and having the same password access every part of the system makes that impossible.
Having powerful passwords can be an instant boon to your IT security, and hence should be considered carefully. If you aren’t 100% sure, having a managed service provider take care of password policy may be the best way to go for your peace of mind. Rapid IT is of course always there to help, so give us a call today.