Password Tips & Practices Every Administrator Should Apply
New mobile apps to keep an eye on
Auctor purus, aliquet risus tincidunt erat nulla sed quam blandit mattis id gravida elementum, amet id libero nibh urna nisi sit sed. Velit enim at purus arcu sed ac. Viverra maecenas id netus euismod phasellus et tempus rutrum tellus nisi, amet porttitor facilisis aenean faucibus eu nec pellentesque id. Volutpat, pellentesque cursus sit at ut a imperdiet duis turpis duis ultrices gravida at aenean amet mattis sed aliquam augue nisl cras suscipit.
- Commodo scelerisque convallis placerat venenatis et enim ullamcorper eros.
- Proin cursus tellus iaculis arcu quam egestas enim volutpat suspendisse
- Sit enim porttitor vehicula consequat urna, eleifend tincidunt vulputate turpis
What new social media mobile apps are available in 2022?
At elit elementum consectetur interdum venenatis et id vestibulum id imperdiet elit urna sed vulputate bibendum aliquam. Tristique lectus tellus amet, mauris lorem venenatis vulputate morbi condimentum felis et lobortis urna amet odio leo tincidunt semper sed bibendum metus, malesuada scelerisque laoreet risus duis.
Use new social media apps as marketing funnels
Ullamcorper pellentesque a ultrices maecenas fermentum neque eget. Habitant cum esat ornare sed. Tristique semper est diam mattis elit. Viverra adipiscing vulputate nibh neque at. Adipiscing tempus id sed arcu accumsan ullamcorper dignissim pulvinar ullamcorper urna, habitasse. Lectus scelerisque euismod risus tristique nullam elementum diam libero sit sed diam rhoncus, accumsan proin amet eu nunc vel turpis eu orci sit fames.
- Eget velit tristique magna convallis orci pellentesque amet non aenean diam
- Duis vitae a cras morbi volutpat et nunc at accumsan ullamcorper enim
- Neque, amet urna lacus tempor, dolor lorem pulvinar quis lacus adipiscing
- Cursus aliquam pharetra amet vehicula elit lectus vivamus orci morbi sollicitudin
“Sit enim porttitor vehicula consequat urna, eleifend tincidunt vulputate turpis, dignissim pulvinar ullamcorper”
Try out Twitter Spaces or Clubhouse on iPhone
Nisi in sem ipsum fermentum massa quisque cursus risus sociis sit massa suspendisse. Neque vulputate sed purus, dui sit diam praesent ullamcorper at in non dignissim iaculis velit nibh eu vitae. Bibendum euismod ipsum euismod urna vestibulum ut ligula. In faucibus egestas dui integer tempor feugiat lorem venenatis sollicitudin quis ultrices cras feugiat iaculis eget.
Try out Twitter Spaces or Clubhouse on iPhone
Id ac imperdiet est eget justo viverra nunc faucibus tempus tempus porttitor commodo sodales sed tellus eu donec enim. Lectus eu viverra ullamcorper ultricies et lacinia nisl ut at aliquet lacus blandit dui arcu at in id amet orci egestas commodo sagittis in. Vel risus magna nibh elementum pellentesque feugiat netus sit donec tellus nunc gravida feugiat nullam dignissim rutrum lacus felis morbi nisi interdum tincidunt. Vestibulum pellentesque cursus magna pulvinar est at quis nisi nam et sed in hac quis vulputate vitae in et sit. Interdum etiam nulla lorem lorem feugiat cursus etiam massa facilisi ut.
Thirty years ago the most one had to remember for a password was a school locker combination or an office push pad lock for a door. Today, passwords are needed for just about everything. Any service on the Internet or mobile app needs its own password, and in the business world they are ubiquitous as keys to the kingdom on enterprise networks and shared digital resources. No surprise, passwords and their owners continue to represent the weakest link in IT security. Fortunately, many of their concerns are also the easiest to change with prevention steps, if people apply them often and correctly.
There are various fixes for the multitude of passwords one has to remember now, but that still doesn’t address the fundamental problem of poor password management by users or organizations. And until we reach a world of biometric keys and unique personal tools, passwords are going to remain the standard for a long time probably. As a result, companies and organizations have to constantly address the human factor.
Why Standard Policies Fall Short
Standard password policies tend to center around four typical approaches for username and password security:
- Making sure the password minimum length is at least 8 digits long, better if 12 or 16.
- Lots of complexity in the password with uppercase and lowercase letters, numeric digits and special characters.
- Making sure passwords are changed on a regular basis (usually 90 days)
- Automatic account lockout rules after a number of incorrect attempts are made with a wrong password.
However, the above common policies fail to deal with the human factor that keeps breaking the expected rules. Frequent, frustrating issues include staff sharing their passwords with each other for convenience and easier access, using personal information, reusing the same password again and again, failing to change a password after a breach occurred, writing passwords down and leaving them on desks or in the open, not using two-factor defenses, and leaving the computer on to avoid having to login at all. Anyone who practice occasional office testing for staff slipups and vulnerabilities will probably find a break-in candidate within about two to three days in an unannounced audit.
In addition, even if folks do everything they are supposed with the four common prevention steps, the vulnerability versus today’s anti-security technology is still high. Basic hacking tools can make short work of standard good password or passphrase policies, especially with the power of computers working day and night. These attacks come in the form of automated brute force and dictionary attacks where a program guesses every possibility, breaking security questions with data gleaned off of social media about a user, still taking advantage of simplistic passwords like god or 12345. And the most successful tends to still be social engineering attacks where people just give up their passwords willingly.
Get Proactive and Stop Relying on Users
So, what can a company do? Are data breaches inevitable? Ban easier to remember passwords? If one relies on the Security Exchange Commission’s view, attacks for any size business are matter of when, not if.
Fortunately, there is more that can be applied administratively on user accounts without fully relying on those users to do their part. These password protection steps include:
- Force Easy to Remember Passwords to 16 digits With Complexity – The amount of time it takes a computer program to break a 16 digit password with complexity is more computational time than it takes a bit miner to crack a new Bitcoin. That kind of difficulty drives easy opportunists away very quickly, even with software tools. The strongest method is, of course, 64 digits.
- Utilize Password Encryption – Networks that automatically encrypt password fields and their data transfer block the most common method of grabbing passwords, network sniffing. All the hacker sees is a blizzard of characters that don’t make sense. Not using encryption literally leaves the password easy to read on a sniffed network or channel.
- Require Two-Factor Authentication – Absolutely one of the most effective tools available, multi factor authentication forces a unique second password code to be generated with every login. It’s easy to apply and any user with a connected cell phone or token key can still login without issue.
- Layer on More Methods – Unique passwords plus other tools like voice or biometric data makes it extremely hard to get into a system without the user’s cooperation. This wipes out the errant user name and password being written down and stolen or being overheard or seen in a public area.
- Force Minimum Acceptance Testing on New Strong Passwords – Your own server tools like Windows Server can require minimum criteria on new passwords in a network, forcing users to comply whether they like it or not. This may not work for dictionary words, however, in which case an administrator would have to rely on regular training reminders and auditing passwords for violations.
- Force Modularization – By requiring employees to have different passwords for different parts of a network, it blocks of access to the whole system even if a breach occurs. This follows the rule of “least privilege access.” No one should be allowed to have a universal password.
- Have the Ability to Nuke Connected Mobile Devices – Any device connected to your network should have a requirement for remote wipe. This way, if a mobile phone is compromised, you can immediately kill that access entirely and shut off further damage. This a very effective defense to stolen or lost mobile devices.
- Require Automatic Deletion of Unused Accounts & Separating Employees – This is a bit of a no-brainer; any accounts not used after 45 days or associated with a departing employee should be cut off immediately by default. These provide backdoor entry for anyone who gets them and the account hasn’t been deleted or disabled.
- Password Managers May Help – Password software memory tools provide a great way to manage passes, remembering passwords and storing passwords with a simple, singular channel, but their strength of a one account approach is also their Achilles Heel. If the password to the password manager is compromised, then so is everything else. In these cases having a physical security token as well as an MFA and password may be a better approach with a password manager.
There is no perfect solution for passwords as long as they will be used; the human element always presents an inherent risk, especially as user number increases dramatically. However, there are lot of steps an organization can take to limit the access and potential risk a password mistake can produce. Companies and organizations just need to proactively exercise them and take advantage of the tools they already have. Further, additional added layers can increase complexity and defenses when apply.
