Are PCI compliant passwords good enough?
(Last updated on February 17, 2020)
Wide-scale attacks and hacks on large enterprises may be dominating the news headlines, but small and medium sized businesses are the real targets that are under-reported. According to a Visa analysis, small merchants accounted for more than 80 percent of data security breaches. When a breach happens, you not only get charged over $200 per compromised record but also fines from banks or regulations such as PCI DSS (Payment Card Industry Data Security Standard). Aside from the financial loss, brand damage is what will affect your business the most. If customers don’t trust that you will keep their details safe, will they make a purchase? Unlikely. And that’s why 60 percent of small businesses go out of business within six months of a data breach, according to National Cyber Security Alliance.
With profits and reputation on the line, what can you do to make data more secure? Start by strengthening your password security. According to the 2015 Global Security Report by Trustwave, 28 percent of breaches resulted from weak passwords. Allowing users to use weak passwords not only opens your organization up for attacks but also makes you incompliant with PCI. PCI requires strong passwords for all users with access to payment card numbers. The requirements for PCI compliant passwords are:
- Must be at least seven characters long
- Contain both numeric and alphabetic characters
- Must expire every 90 days
- Must be different from previous passwords
- Must not use vendor-supplied defaults for system passwords and other security parameters
Will following these requirements really make a password strong? An analysis of 5000 PCI compliant passwords showed that a majority of them contained words similar to usernames, dictionary words and keyboard patterns. This means they were still vulnerable to the multitude of password attacks out there – rainbow tables, brute force, dictionary attacks – and not to mention they can be easily guessed and social engineered. To provide the proper level of protection, you need to go above and beyond the PCI compliance password requirements.
Specops Password Policy provides significantly enhanced strong password definition criteria allowing you to enforce longer stronger passwords or passphrases. It gives you the freedom to set any combination of password restrictions such as user names, display names, incremental passwords and dictionary words. It further increases security by preventing users from choosing known leaked passwords. Options include creating a custom list and importing online dictionary lists provided by Specops.
With Specops Password Policy, you also have the flexibility to not force complexity requirements when a passphrase is more than a minimum character length, for example 14 characters. Longer passwords are stronger passwords – B1gMac1 takes 14 minutes to crack whereas Bigmacandfries takes 511 years to crack.
Passwords that are compliant on paper just aren’t good enough. It is time to create a best practice oriented password strategy that protects your organization against real world attacks.