Most computer users are aware of the need for passwords to protect sensitive data from unauthorised access, but few are aware of how easily some passwords can be cracked by malicious users. In the corporate environment, where the protection of sensitive data is particularly vital, it is important to introduce password standards to ensure that you are not leaving your firm open to a security breach.
The term ‘password’ refers to a string of characters, known only to user, which is used to authenticate their identity and give them access to an electronic resource such an email account. Computer hackers will typically work through a list of more likely passwords first, before moving on to a ‘brute force’ cracking method, which simply involves systematically trying every possible combination until they are successful. For this reason, password strength is dependent on three factors: length, complexity and predictability.
Most experts recommend a minimum password length of eight characters, but fourteen characters or longer is ideal. It is also good practice to prohibit the use of words found in dictionaries as this gives hackers a comparably short list of passwords to try. To put this in perspective, there are around 30,000 eight letter words in the English dictionary, but the total number of possible eight character alphanumeric combinations is 2.8 trillion. Ideally, a password should also include a combination of upper and lowercase letters, which would increase the number of potential combinations in the above example to 220 trillion. Further, if the full set of printable characters is used (such as &, $ and %), this increases the number of possible combinations to 6,600 trillion.
When developing a set of password standards for your organisation, it is also important to look at how policy can be used to prevent passwords being leaked outside of your organisation. Such policies might include requiring users to change their passwords every 60-90 days, prohibiting the sharing of passwords among employees and ensuring an employee’s passwords are changed immediately upon their leaving the company.
But however well a company’s password standards are adhered to, sensitive data can still be at risk from other attacks. Keystroke logging, for example, involves recording activity such as key presses and mouse movements on a user’s computer. This information is then made accessible to a malicious user who can use this to acquire passwords and other sensitive data. Most keystroke logging occurs either via a piece of specialist hardware attached to the computer, such as a keyboard or small USB device, or via a piece of software installed by a malicious user or Trojan horse.
Software vulnerabilities can also lead to security breaches, for example, in some cases, a flaw in the programme might allow users to access certain areas without a password, or perhaps leave default ‘admin’ accounts on the system that are easily accessed by hackers. For this reason, if it is to be effective, any password policy in the corporate workspace must address the issue of potential password breaches from all angles, looking not only at password strength, but also at how passwords can be managed, distributed and compromised.