A strong password is critically important to prevent unauthorized access to your computer and online accounts. However, many companies are using outdated password policies that were based on a standard that was published in 2003. Fifteen years ago the recommendations for creating a strong password were that they should include at least eight characters, an uppercase letter, a lowercase letter, a number and a special character, and expire every 90 days.
Data security evolves over time as new threats constantly emerge and security specialists like me develop and recommend countermeasures to combat these threats. Today we know that the character mix isn’t as significant as it was originally thought to be, and passwords that took about 90 days to crack 15 years ago can now be guessed in a few seconds. The outdated password guidelines actually encouraged us to create passwords that are hard for people to remember but easy for computers to crack.
Bottom line: If you’re using the old guidelines, it’s time to update your organization’s password policy. Modern guidance is to create longer passwords or passphrases that don’t expire every three months. I prefer a password of at least 15 characters. I also strongly recommend adopting multifactor authentication (MFA) that incorporates more than one of the following: something you know (password), something you have (physical device token or cryptographic key) or something you are (fingerprint or other biometric) to provide another layer of security if your password is leaked or cracked.
Employees are more likely to create longer and more complex passwords if they don’t have to change them every three months. In reality the high-frequency password changes lead to the creation of weak passwords that are easy to remember like “Password#1.” A password like this meets the outdated guidelines but is very easy to crack and should not be used. In addition, there is a huge cost in labor tied to frequent password expirations when you factor in the time spent by information technology departments assisting frustrated users and the time spent by employees changing and trying to remember their new passwords.
In addition to requiring longer passwords or passphrases, your company also might want to implement measures to automatically blacklist common, easy to crack passwords like — you guessed it —Password#1.
Tony Dow is senior manager of security services operations at Hawaiian Telcom. He manages the company’s internal security program. Reach him at Tony.firstname.lastname@example.org.