We ran across this interesting article on passwords and it prompted us to write this review on password security for your business.
The premise of the article is that a computer program can be created to crack the typical passwords we are all being prompted to create on most websites. You know the ones …. at least 8 characters, 2 of which have to be numbers and there have to be special characters. As you can see from the comment thread under the article, there is definitely a range of opinions on the subject. After providing managed service support for business networks for 20 plus years we have some solid tips on the subject of security to share with you:
- User education-quick education on Trojans, password usage, phishing and social engineering will pay big dividends security wise. Including this knowledge and the responsibility of the users to use it in the company handbook is good practice.
- Longer is better, 8 characters is much easier to hack than 18 or 24. Have your ‘server’ force this level of length.
- When possible use pass phrases (purplecowtruckspot) these are much, much harder to break.
- Use a password vault like Last Pass! You have one master pass phrase to remember and last pass stores all of your passwords in one place. Last Pass also generates random long passwords for you so each website can have a different password. Many people use the same password on multiple sites-not good security practice!
- Have a good firewall with no open ports. Open ports (holes in the firewall) are usually used for well known application access and as such are major candidates for hacking. Have the firewall monitored so if someone is ‘knocking’ on the firewall door you’ll know it.
- Use a VPN to secure outside access to internal information. This encrypts traffic between the remote computer and the internal network.
- Have managed virus that is cloud based. Keeping virus software ‘up to date’ can be a chore unless there is a central place where tech people can review deployment.
- Do not allow local admins for your user accounts. If you don’t have admin access to your computer it is much harder to load a piece of software (read malware).
- Do not allow thumb drives to be used on the network. If someone needs this have them ask ‘IT’ and they can determine the best way to get the information to someone.
- When possible use two factor authentication. This is where the user has their username, a password and another piece of information that only they would know. This is usually a key fob that gives random numbers that are only good for a specific amount of time.
- re-read number 1!!
If we can help explain any of these, please call our tech line at 562 431 0098 x0 for help. Thanks.
A popular xkcd comic from cartoonist Randall Munroe, published back in August 2011, poked a hole in this common logic on current password methodology.