I hate passwords. They are complex, should be unique for every website or service, and I have to change them every 90 days. What is the point? "My accounts have never been compromised." (That I know of.)
A password is the only method that a computer system has to link a person with an account. Some people may object and say "What about biometrics?" Biometrics are still just a password to a computer. They are easier for a person to enter, but the fingerprint reader still converts a fingerprint to a password. They are similar to proximity ID cards, but less secure.
Because they are so critical, security best practices advise on the following configuration:
- Complex passwords of at least 8 characters
- Use different passwords for different accounts
- Change the password every 90 days
These steps have greatly improved password security. This article explains these recommendations.
Why does the password need to be complex?
If a system that stores your passwords gets compromised, the password database may be breached. If you used a simple password, decrypting that simple password from the database will be easy. Using a complex password gives you the time you need to change the passwords to the system that was compromised, prior to the hacker using your password. Examples of simple passwords that are decrypted in seconds include Password1, qwerty, 987654321, Backup. Complex passwords that would take years to centuries to decrypt include, paper&lionS, correctHorsebatterystaple, I81b4btm. Most sites require the use of both uppercase and lowercase letters along with at least one number. More sites are moving to asking for at least one symbol, like !@#$%^&*<>?, as well.
Why do they need to be unique?
As before, if the password database is breached, your complex password gives you time to change the password on the affected site. If the password is unique on every site, only one site needs to be changed. Some people don't remember all of the sites that may use the password. The more sites that use that same password, the more likely that it will be breached. Larger websites are less likely to fall due to simple programming mistakes, but LinkedIn, eBay, AOL, and TJ Maxx have all experienced password database breaches in the recent past.
Why does the password need to expire every 90 days?
Password expiration does nothing to increase the security of any given password. The password expiration's primary purpose is to regain control of the account. When a password is changed, the user has complete confidence that no one else in the world knows the password. As times goes on, the confidence that no one else knows the password diminishes. Changing it assures that the user once again has exclusive control of the account.
Business owners need to ensure that their employees follow secure password practices to protect the information of the business. If an employee makes a mistake that leads to private information being made public, the company will bear the brunt of the PR. In the case of Target, an employee at a vendor had a password stolen. That theft resulted in the Target credit card breach last fall. Business owners can review a list of every single account in the computer system and review them for password policy compliance. The Netgain Security Team audits all Netgain employee accounts every 90 days across all client environments. This ensures that Netgain employees will not be the source of a hacked password.
If you would like assistance in auditing the accounts in your Netgain hosted environment, please feel free to contact Charles Killmer, CISSP at Charles.Killmer@NetgainHosting.com.