Increase password security by reducing human errors
(Last updated on September 26, 2019)
According to the IBM Security Services 2015 Cyber Security Intelligence Index report, over 95 percent of all incidents investigated involve human error.
While organizations employ a plethora of security policies and invest in defensive security tools to mitigate the risks, there are factors they can hardly control – human errors and poor decisions.
In this blog Password Filtering: Taking Bad Decisions Away from Users, the author suggests that the “eight character minimum with complexity” password recommendation isn’t secure anymore. As far as users are concerned, they just need to create passwords that meet the requirements, even when they know the ones they come up with are easy to crack. The best solution is to address the root cause – human. Instead of leaving it up to users to create secure passwords and hope for the best, enforce a truly strong password policy that prevents them from creating weak passwords in the first place.
Let’s take a look at the password policy employed in most organizations today:
- Changing twice a year
- Minimum of eight characters
- Cannot contain your first name or last name.
- When changing it, you cannot repeat any of your last 3 passwords.
- It has to contain at least 3 of the following 4:
- An upper case letter
- A lower case letter
- A number
- A special character
Does this policy protect organizations against hacker attacks? Here are the passwords that meet the requirements and the time it takes to crack them (calculated using How Secure Is My Password tool):
- w@gZ23!! – three days
- 2g@Th@R!? – five years
- wf@@3500A! – 58 years
To improve security, you can increase password length and complexity requirements. But in reality, most organizations have legacy systems which don’t support passwords greater than eight characters or special characters. Ideally, users should be able to create passwords such as these:
- I love cold beer. – A quintillion years
- I have really bright children! – 85 duodecillion years
- T@morr@w I leave for Disneyland? – 4 quattuordecillion years
They are longer than any traditional password which significantly lower the risks of being hacked but they are easily memorable. Users would have a much easier time memorizing passphrases than cryptic series of letters, numbers and symbols.
Specops Password Policy helps you overcome the limitation inherent in legacy systems with passphrase support. It allows administrators to create powerful yet simple password policy: if the password is shorter than the minimum length set in the passphrase options, the standard length and complexity rules apply – if not, the passphrase requirements kick in. Specops Password Policy further enhances security by giving administrators the ability to check for partial or full usernames in passwords, forbid consecutive characters, dictionary words and any passwords from the leaked lists .
Humans make mistakes and will always find a way to undermine or bypass your security measures, intentionally or unintentionally. Time to create a password policy that helps reduce human errors and improves security.