top 10 passwords used to “secure” enterprise-connected devices in 2016? Sadly and unsurprisingly, here they are, along with how long it would take it would take a computer to crack each (and hack into said device and network):
- 123456 (instantly)
- password (instantly)
- 12345 (instantly)
- 12345678 (instantly)
- football (instantly)
- qwerty (instantly)
- 1234567890 (instantly)
- 1234567 (instantly)
- princess (instantly)
- 1234 (instantly)
Do you see a theme developing here? This theme translates to your networks not being nearly secure as you think and hope them to be. Your employees are your first and best line of defense against cybercriminals trying to do your company harm. You should be providing those employees the tools necessary to mount that defense. And one of those tools is training on proper password strategies and techniques.
On what should you be training your employees? Consider these 10 tips.
- All passwords should be reasonably complex and difficult for unauthorized people to guess. That is, employees should not use any common name, noun, verb, adverb, or adjective, like “password”, “football”, or “princess”.
- Passwords must be a minimum of 12 characters long, and must contain at least one uppercase letter, one number, and one ASCII character. One recommended method to create a complex and secure password is to pick a phrase, take its initials, mix up the capitalization, and further replace some of the letters with numbers and other characters. For example, the phrase “This will help me remember my password” can become “TwHm8mPw!”.
- Employees should use common sense when choosing passwords. Avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective and must be avoided.
- Default passwords—such as those created for new employees when they start or those that protect new systems when they’re initially set up—must be changed with the employee’s first login.
- Employees must choose unique passwords for each company accounts, and may not recycle a password they already use for a personal account.
- Passwords should not be posted on or near computer terminals or otherwise be readily accessible in the area of the terminal. Post-It notes are the enemy.
- Password must be changed per a set schedule. (I suggest every six months.) You should enforce this policy with software.
- If an employee doubts the security of a password—for example, if it appears that an unauthorized person has logged in to the account, or if the employee clicks a suspicious link in an unknown email or otherwise thinks a password has been divulged—the password must be changed immediately and IT must be notified.
- User accounts will be frozen after “x” number of failed logon attempts. (I suggest three.)
- Employees should not share their password(s) with anyone. Those who need system access will receive their own unique password.
It would take 16 billion years to crack my current network password. And, unless I fall victim to a phishing or other scheme that reveals it, I feel confident that my password is safe. My challenge to each of your employees is to top me.