Stories about the use of easy-to-guess passwords based on common words, consecutive numerical strings, or simply the use of “password” are fairly common. Millions of users, in an effort to make their passwords easy to remember, fall prey to this problem, or they will write their passwords down on sticky notes, not change them periodically, or use the same password for multiple applications.
I wanted to see how just the strength of a password would affect its ability to be guessed by brute force using a PC, so I went to howsecureismypassword.net. I am not affiliated with the host of this site or its sponsor, and so cannot vouch for the security of any content they manage. So, as a precaution, don’t use any site like this to test your actual passwords.
For the test, I chose five passwords: rabbit, rabbit9, rabbit99, rabbit99K and rabbit99K). I ran each password through their checker and found the following lengths of time that would be required to guess each one:
- rabbit: a desktop PC could guess this password more or less instantly
- rabbit9: 19 seconds
- rabbit99: 11 minutes
- rabbit99K: 39 days
- rabbit99K): 58 years
Obviously, the longer and more complex the password, the longer it will take to guess it through brute force. Yhn-P9q9Km4-9UtQw)7*, for example, would require 425 quintillion years according to howsecureismypassword.net.
But strong passwords are just part of the security story. Organizations should undertake other steps, as well:
- Use multi-factor authentication that will require, for example, the entry of a password and a code that a user receives on his or her smartphone.
- Impose password expiration requirements at regular intervals that will require users to create a new password every so often. The more sensitive or critical the data asset or application that is being accessed, the more frequently that IT might want passwords to change.
- Lockout inactive users after a certain number of days.
- Implement strict strikeout limits for sensitive data assets or applications that will allow only a small number of authentication errors.
- Don’t allow passwords to be reused.
- Implement self-service password functionality, but only if two-factor authentication or similar controls are in place.
- Employ risk-based authentication that imposes stricter requirements based on the sensitivity of the data assets being accessed, the location of those accessing them, the time of day they are being accessed, etc.
- Finally, establish policies for the data assets that really need to be accessible online and what can/should be disconnected from the Internet.
These are all fairly simple steps that would go a long way toward improving corporate security.