Password Policies: Pitfalls and Solutions

What is a password policy?

Password policies are used to set standard for passwords that will not be guessed or hacked. A password policy sets levels of security each employee must meet with their passwords. Often, password policies vary throughout a company. For instance, a system admin may have a stricter policy than a regular user. Policies for important passwords, such as computer and email passwords, may also be stricter than less important passwords.

A password policy can be given to the employee, perhaps in an employee handbook, can be required by system, or both. The upside of setting your system to require a policy is that it protects a well-meaning user who forgets the full policy (as well as a user who just doesn’t care). The downside is most computers can’t check for more meaningful standards, as will be given below.

Who should have a password policy?

This is an important question! Not everything needs a fancy password. A good password policy is needed to protect:

  • Email accounts

  • Active Directory

  • Anything handling your money or bank accounts

  • Anything storing confidential or personal information

  • VPN access

So, what’s the problem with most password policies?

The problem is simple. As you make a password policy more advanced, your employees must find ways to meet it that they can remember. As it happens, most people come up with the same tricks for this. In fact, many people we work with are surprised that their clever little trick is so common.

  • Longer passwords: Most people simply use longer words or two words, which are easy to guess just by going through the dictionary.

  • At least one capital: This is usually done as the first or last letter of a word. Again, easy for a hacker’s algorithm to guess.

  • At least one number: Commonly placed before or after a word. Prepending or appending one to four numbers is still easy for a computer. As is the common practice of replacing “o” with “0”.

  • At least one character: Many people expect this to be the most powerful standard, since adding characters increases the possibilities tremendously. However, most people use the same characters in the same places. “!” and “@” are by far the most common, usually as the first, last, second, or second to last characters in a password. In fact, just these eight variations will account for the majority of character-based passwords. Adding a few other common characters and possibly putting them between two words will crack nearly all passwords. Replacing “a” with “@” and “s” with “$” are also easily accounted for.

  • Password rotation: Users hate this, since they are always having to learn a new password. So people need a trick to remember it. A common one is to use the name of the month for a 30 days rotation, and the name of the season for a 90 day. Year may also be used. This is so common, months, seasons, and years in a password basically give a hacker a large portion of your password. It is also common to just increment a number, which is also easily accounted for.

  • Keyboard combinations: In an effort to make a great password, users will follow a series of letters on a keyboard. It spells nothing, but is easy to type and remember. For instance: “qazxsw”. Hackers know this and include keyboard words as part of their dictionary.

Knowing these tricks, a hacker may guess a long, complex password just as easily as a short one.

The Solution

First of all, this does NOT mean you should abandon policies like characters and password rotation! The solution is being familiar with and aware of common password tricks and patterns that hackers look for. Using uncommon characters, number and letter combinations can help improve your password security tremendously. Employees just need to be informed of the common tricks hackers know. Include the following in your policy:

  • A minimum of 9 characters

  • Include one unusual character

    • Characters like ({;,|* are great options

    • Avoid !@?$

  • At least one uppercase or number

  • Avoid using words related to your company

For a more secure password, also include:

  • A minimum of 12 characters

  • Include two non-consecutive unusual characters

  • At least two uppercase or numbers

  • Avoid using words related to your company

  • Two letters, characters, or numbers not part of a word

  • Letter replacement like o>0 or a>@ is easily caught by most algorithms

    • For example, P@ssw0rd is easy to guess, pass%word6A is difficult to guess

  • If the password rotates periodically, a brand new password must be developed each time

    • Using the month for 30 day rotations or season for every 4 months is easier to guess than an unchanged password

Get Help!

A good password policy should be effective without being complicated. This means you can have peace of mind without annoying your employees. GGNet is experienced in writing policies with your needs in mind and is happy to help! For more information, you can give us a call at 219.926.6800, or just click here to contact us.

Leave a Comment