In December, a major password breach led to the release and Internet posting of 32 million passwords. 
Imperva, a security firm, analyzed the strength of the passwords and stated that the 20 most common passwords are easy to guess, especially for a hacker software program that rapidly makes repeated attempts.
Imperva also reports that:
- 1% used “123456″ as a password.
- About 20% picked from the same, relatively small pool of 5,000 passwords.
In an article covering the report, the New York Times states, “Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug. … one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like ‘abc123,’ ‘iloveyou’ or even ‘password’ to protect their data.”
A Smart Password Policy
Individual users should:
1. When you care about the privacy of your information, choose a strong password. For example, take a sentence and turn it into a password, such as, “This little piggy went to market” becomes “tlpWENT2m.”
2. Use a different password for all sites – even for the ones where privacy isn’t an issue.
3. Never trust a 3rd party with your important passwords (webmail, banking, medical, etc.)
4. You may want to consider RoboForm to store your passwords.
System administrators should:
1. Enforce strong passwords policy – if you give the users a choice, it’s very likely they would choose weak passwords.
2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
3. Make sure passwords are not kept in clear text. Always digest password before storing to DB.
4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials.
5. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 to 20 minutes, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended.
6. System level passwords should be changed when someone who knows the password has left the company, user level passwords should be changed every if someone other than the system administrator knows the password or the user leaves. Too frequent password changes make them less effective because people write them down
Acceptable Use Policy excerpts:
1. Users should keep passwords secure and not share accounts.
2. Authorized users are responsible for the security of their passwords and accounts.
We can work with you to create a customized Acceptable Use Policy for your organization. Call me.
Comments on this entry are closed.