Imagine you’re married but would like to sample some, shall we say, forbidden fruit. Modern technology and entrepreneurship have provided a place where you can find like-minded adulterers. All you have to do is register for a website, input a user name and password, and you’re on your way.
One would think that the danger of getting caught would reinforce the need to create an impenetrable password. And yet when the adulterer enabling website Ashley Madison was hacked last year, it was discovered that the two most common passwords used by the site’s clients were ‘123456’ and ‘password.’
It’s like they wanted to get caught.
Why should this matter to somebody in charge of IT security at a company or organization? Well consider this: If people aren’t diligent enough to create a robust password to protect sensitive information on a website like Ashley Madison, would they be careful enough to protect their employers’ networks and sensitive data?
Aside from phishing scams, one of the easiest ways for hackers to gain network access is to crack the network password of one employee. The more people you employ, the more password vulnerabilities exist.
Those who want to do the legwork can oftentimes find password clues by surfing social media. Facebook, Twitter, LinkedIn, Instagram and other social networks invite people to share every detail of their lives: the names of their kids and pets, where they attended college, and their favorite sports teams just to name a few. This information is often what people use for passwords or to answer the security questions when they forget their passwords.
Once hackers have cracked the password to one site, they often have a master key to multiple sites. One survey shows 61 percent of people reuse passwords on multiple sites, and 54 percent have only five or fewer passwords they use across the web.
Password managers can help in this regard. These services will create long, random passwords for each site a person accesses and stores all of these passwords so users don’t have to remember or write them down. The only downside is the user has to remember the one password that grants them access to the entire list.
Another way to make password policies more user friendly is to find the right balance between making them easy to remember but tough to crack.
Several companies and organizations have gone this route. In 2014, Stanford University launched a password policy that allows users to create shorter, more complex passwords OR longer, less complex passwords. The policy is based on the idea that the more characters a password contains, the more combinations a brute-force attack would have to try to find the right combination. Therefore, a password that contains random words totaling 20 characters is as difficult to crack, yet easier to remember than an eight-character password with letters, characters and numbers.
Stanford’s policy makes any of the following combinations acceptable:
- Passwords between 8 and 11 characters require mixed case letters, numbers and symbols
- Passwords between 12 and 15 characters require mixed case letters and numbers
- Passwords between 16 and 19 characters only require a mix of capital and lowercase letters
- Passwords with 20 or more characters can use any combination of characters, even 20 lowercase letters.
An acceptable password at Stanford is: shovelbirdcoffeefootball. Once you have the cadence of the four words in your head, it’s easy to remember. But the number of characters makes it extremely unlikely to crack.
Several years ago, security expert Thomas Baekdal made the argument that passwords with memorable and comprehensive phrases are more secure than a random list of hard-to-remember characters. This is based on how long a hacker could crack a password using a brute-force attack. For example, using the phrase “this is fun” would take more than 2,500 years to crack using a brute-force attack because of the spaces between the words, which act like special characters.
Organizations need strict password policies and strong enforcement of those policies to protect their networks. At the same times, they need to consider whether the complexity of those policies creates more vulnerabilities than it protects.