When it comes to online security, passwords are the second line of defense. If a threat breaches the network perimeter, then the passwords associated with particular assets become essential to protecting them. Strong passwords can make it difficult for intruders to access information fast enough to remain undetected, which helps protect the enterprise as a whole.
For the average user of a corporate network, however, passwords are the single most important security tool. Users must practice password safety at every step of their work day to ensure their network resources are protected – and that can be a heavy responsibility.
The challenge: Best practices related to passwords have changed dramatically in the last decade.
It’s important that people not only protect their passwords vigilantly, but understand that the best way to keep passwords safe is evolving along with online technology. Many lessons users may have learned early in a career no longer apply – and some information is completely new.
Let’s look at some of the most useful ways to develop and defend enterprise passwords:
Use Passphrases, Not Passwords
Single-word passwords are extremely easy for hackers to guess by automated means. In fact, even adding numbers, capital letters, and special characters to a password doesn’t significantly improve its durability under a brute force attack – while making it harder for users to remember.
Passphrases differ from traditional passwords because they consist of multiple words that are all strung together into a meaningful, memorable phrase. Capitals, punctuation, spaces, and special characters can all be used to add to the complexity without detracting from memorability.
Since multi-word phrases cannot be cracked using a dictionary, they are much stronger.
Make Longer Passphrases a Requirement
When passwords have complex requirements in terms of special characters, capitalization, and more, users get frustrated – and hackers can simply use this information to crack them more easily. Instead, use extended passphrases that can contain four, five, or even six words.
Give Each Password a Longer Time to Live
Since passphrases are so much tougher than passwords, there’s no need to change them as much. In fact, frequently changing passwords can cause users to develop lazy habits, such as changing just one letter each time or writing passwords down where they can be stolen.
Reset Passwords Annually, Not Every 30/60/90 Days
Every once in a while, however, it’s still a wise idea to have a complete, enterprise-wide reset. This can take place on an annual basis. Of course, you should still push an enterprise password refresh any time you confirm that your network has been attacked.
Never Put a Domain Password or PC Unlock Password into a Web Browser
Even with today’s modern encryption technology, a password is at its most vulnerable when it is in transit between destinations on the Web. You should never put your most sensitive passwords into a Web browser for any reason, even on a secure VPN.
Use Two-Factor Identification With Your Mobile Phone
Two-factor identification can transform even an ordinary password into one that’s essentially impossible for attackers to overcome. When two-factor identification is active, you need to have physical access to a second device, such as a phone, to successfully use a password.
At NCA, we advise IT security leaders to set aside time on an annual basis to review the key security policies that affect the end users. Not only must those policies be up to date, but there must be a clear approach to ensuring each user understands and abides by them.
To find out more about keeping your network safe in a world of unprecedented threats, contact NCA.
Network Computing Architects, Inc. is a premier provider of high quality sustainable and secure networking, information security solutions and unified communications. We partner with our clients to provide answers to business initiatives where leading technologies converge.
NCA achieved ISO 27001:2005 certification in December 2007 and is currently ISO 27001:2013 certified. The scope of NCA's ISMS is client confidential information within NCA Professional Services Practice.