Password Security

Password security on the UNIX (a trademark of Bell Laboratories) time-sharing system [3] is provided by a collection of programs whose elaborate and strange design is the outgrowth of many years of experience with earlier versions. To help develop a secure system, we have had a continuing competition to devise new ways to attack the security of the system (the bad guy) and, at the same time, to devise new techniques to resist the new attacks (the good guy). This competition has been in the same vein as the competition of long standing between manufacturers of armor plate and those of armor-piercing shells. For this reason, the description that follows will trace the history of the password system rather than simply presenting the program in its current state. In this way, the reasons for the design will be made clearer, as the design cannot be understood without also understanding the potential attacks. An underlying goal has been to provide password security at minimal inconvenience to the users of the system. For example, those who want to run a completely open system without passwords, or to have passwords only at the option of the individual users, are able to do so, while those who require all of their users to have passwords gain a high degree of security against penetration of the system by unauthorized users. The password system must be able not only to prevent any access to the system by unauthorized users (i.e., prevent them from logging in at all), but it must also prevent users who are already logged in from doing things that they are not authorized to do. The so-called "super-user" password on the UNIX system, for example, is especially critical because the super-user has all sorts of permissions and has essentially unlimited access to all system resources. Password security is of course only one component overall System security, but it is an essential component. Experience has shown that attempts to penetrate remote-access systems have been astonishingly sophisticated. Remote-access systems are peculiarly vulnerable to penetration by outsiders as there are threats at the remote terminal, along the communications link, as well as at the computer itself. Although the security of a password encryption algorithm is an interesting intellectual and mathematical problem, it is only one tiny facet of a very large problem. In practice, physical security of the computer, communications security of the communications link, and physical control of the computer itself loom as far more important issues. Perhaps most important of all is control over the actions of ex-employees, since they are not under any direct control and they may have intimate knowledge about the system, its resources, and methods of access. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.

Prologue
The UNIX system was first implemented with a password file that contained the actual passwords of all the users, and for that reason the password file had to be heavily protected against being either read or written. Although historically, this had been the technique used for remote-access systems, it was completely unsatisfactory for several reasons.

The technique is excessively vulnerable to lapses in security. Temporary loss of protection can occur when the password file is being edited or otherwise modified. There is no way to prevent the making of copies by privileged users. Experience with several earlier remote access systems showed that such lapses occur with frightening frequency. Perhaps the most memorable such occasion occurred in the early 60s at a time when one of the authors (Morris) happened to be using the system. A system administrator on the CTSS system at MIT was editing the password file and another system administrator was editing the daily message that is printed on everyone's terminal on login. Due to a software design error, the temporary editor files of the two users were interchanged and thus, for a time, the password file was printed on every terminal when it was logged in. Once such a lapse in security has been discovered, everyone's password must be changed, usually simultaneously, at a considerable administrative cost. This is not a great matter, but far more serious is the high probability of such lapses going unnoticed by the system administrators. Security against unauthorized disclosure of the passwords was, in the last analysis, impossible with this system because, for example, if the contents of the file system are put on to magnetic tape for backup, as they must be, then anyone who has physical access to the tape can read anything on it with no restriction. Many programs must get information of various kinds about the users of the system, and these programs in general should have no special permission to read the file. The information which should have been in the password file actually was distributed (or replicated) into a number of files, all of which had to be updated whenever a user was added to or dropped from the system.

The First Scheme

The obvious solution is to arrange that the passwords not appear in the system at all, and it is not difficult to decide that this can be done by encrypting each user's password, putting only the encrypted form in the password file, and throwing away his original password (the one that he typed in). When the user later tries to log in to the system, the password that he types is encrypted and compared with the encrypted version in the password file. If the two match, his login attempt is accepted. Such a scheme was first described in [4, p. 91ff.]. It also seemed advisable to devise a system in which neither the password file nor the password program itself needed to be protected against being read by anyone. All that was needed to implement these ideas was to find a means of encryption that was very difficult to invert, even when the encryption program is available. Most of the standard encryption methods used (in the past) for encryption of messages are rather easy to invert. A convenient and rather good encryption program happened to exist on the system at the time; it simulated the M-209 cipher machine [1] used by the U.S. Army during World War II. It turned out that the M-209 program was usable, but with a given key, the ciphers produced by this program are trivial to invert. It is a much more difficult matter to find out the key given the clear text input and the enciphered output of the program. There-fore, the password was used not as the text to be encrypted but as the key, and a constant was encrypted using this key. The encrypted result was entered into the password file.

Attacks on the First Approach

Suppose that the bad guy has available the text of the password encryption program and the complete password file. Suppose also that he has substantial computing capacity at his disposal. One obvious approach to penetrating the password mechanism is to attempt to find a general method of inverting the encryption algorithm. Very possibly this can be done, but few successful results have come to light, despite substantial efforts extending over a period of more than five years. The results have not proved to be very useful in penetrating systems. Another approach to penetration is simply to keep trying potential passwords until one succeeds; this is a general cryptanalytic approach called key search. Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. Given free choice, most people will choose their passwords from a restricted character set (e.g., all lower-case letters), and will often choose words or names. This human habit makes the key search job a great deal easier. The critical factor involved in key search is the amount of time needed to encrypt a potential password and to check the result against an entry in the password file. The running time to encrypt one trial password and check the result turned out to be approximately 1.25 milliseconds on a PDP-11/70 when the encryption algorithm was recoded for maximum speed. It takes essentially no more time to test the encrypted trial password against all the passwords in an entire password file, or for that matter, against any collection of encrypted passwords, perhaps collected from many installations. If we want to check all passwords of length n that consist entirely of lower-case letters, the number of such passwords is 26 n. If we suppose that the password consists of printable characters only, then the number of possible passwords is somewhat less than 95 n. (The standard system "character erase" and "line kill" characters are, for example, not prime candidates.) We can immediately estimate the running time of a program that will test every password of a given length with all of its characters chosen from some set of characters. The following table gives estimates of the running time required on a PDP- 11/70 to test all possible character strings of length n chosen from various sets of characters: namely, all lowercase letters, all lower-case letters plus digits, all alphanumeric characters, all 95 printable ASCII characters, and finally all 128 ASCII characters. One has to conclude that it is no great matter for someone with access to a PDP-11 to test all lower-case alphabetic strings up to length five and, given access to the machine for, say, several weekends, to test all such strings up to six characters in length. By using such a program against a collection of actual encrypted passwords, a substantial fraction of all the passwords will be found. Another profitable approach for the bad guy is to use the word list from a d!ctionary or to use a list of names. For example, a large commercial dictionary contains typically about 250,000 words; these words can be checked in about five minutes. Again, a noticeable fraction of any

collection of passwords will be found. Improvements and extensions will be (and have been) found by a determined bad guy. Some "good" things to try are: --The dictionary with the words spelled backwards. --A list of first names (best obtained from some mailing list). Last names, street names, and city names also work well. --The above with initial upper-case letters. --All valid license plate numbers in your state. (This takes about five hours in New Jersey.) --Room numbers, social security numbers, telephone numbers, and the like. The authors have conducted experiments to try to determine typical users' habits in the choice of passwords when no constraint is put on their choice. The results were disappointing, except to the bad guy. In a collection of 3,289 passwords gathered from many users over a long period of time, 15 were a single ASCII character; 72 were strings of two ASCII characters; 464 were strings of three ASCII characters; 477 were strings of four alphamerics; 706 were five letters, all upper-case or all lower-case; 605 were six letters, all lower-case. An additional 492 passwords appeared in various available dictionaries, name lists, and the like. A total of 2,831 or 86 percent of this sample of passwords fell into one of these classes. There was, of course, considerable overlap between the dictionary results and the character string searches. The dictionary search alone, which required only five minutes to run, produced about one third of the passwords. Users could be urged (or forced) to use either longer passwords or passwords chosen from a larger character set, or the system could itself choose passwords for the users.

An Anecdote
An entertaining and instructive example is the attempt made at one installation to force users to use less predictable passwords. The users did not choose their own passwords; the system supplied them. The supplied passwords were eight characters long and were taken from the character set consisting of lower-case letters and digits. They were generated by a pseudo random number generator with only 21~ starting values. The time required to search (again on a PDP-11/70) through all character strings of length 8 from a 36-character alphabet is 112 years. Unfortunately, only 21~ of them need be looked at, because that is the number of possible outputs of the random number generator. The bad guy did, in fact, generate and test

each of these strings and found every one of the system-generated passwords using a total of only about one minute of machine time. In this case, no harm was done, as the bad guy happened to be a friendly user.

Improvements to the First Approach

1. Slower Encryption:
Obviously, the first algorithm used was far too fast. The announcement of the DES encryption algorithm by the National Bureau of Standards was timely and fortunate. The DES is, by design, hard to invert, but equally valuable is the fact that it is extremely slow when implemented in software. The DES was implemented and used in the following way: The first eight characters of the user's password are used as a key for the DES; then the algorithm is used to encrypt a constant. Although this constant is zero at the moment, it is easily accessible and can be made installation-dependent. Then the DES algorithm is iterated 25 times and the resulting 64 bits are repacked to become a string of 11 printable characters.

2. Less Predictable Passwords:

The password entry program was modified so as to urge the user to use more obscure passwords. If the user enters an alphabetic password (all upper-case or all lower-case) shorter than six characters, or a password from a larger character set shorter than five characters, then the program asks him to enter a longer password. This further reduces the efficacy of key search. These improvements make it exceedingly difficult to find any individual password. The user is warned of the risks and if he cooperates, he is very safe indeed. On the other hand, he is not prevented from using his spouse's name if he wants to.
3.

Salted Passwords:

The key search technique is still likely to turn up a few passwords when it is used on a large collection of passwords, and it seemed wise to make this task as difficult as possible. To this end, when a password is first entered, the password program obtains a 12-bit random number (by reading the real-time clock) and appends this to the password typed in by the user. The concatenated string is encrypted and both the 12bit random quantity (called the salt) and the 64-bit result of the encryption are entered into the password file. When the user later logs in to the system, the 12-bit quantity is extracted from the password file and appendedto the typed password. The encrypted result is required, as before, to be the same as the remaining 64 bits in the password file. This modification does not increase the task of finding any individual password, starting from scratch, but now the work of testing a given character string against a large collection of encrypted passwords has been multiplied by 4,096 (212). The reason for this is that there are 4,096 encrypted versions of each password and one of them has been picked more or less at random by the system. With this modification, it is likely that the bad guy can spend days of computer time trying to find a password on a system with hundreds of passwords, and find none at all. More important is the fact that it becomes impractical to prepare an encrypted dictionary in advance. Such an encrypted dictionary could be used to crack new passwords in milliseconds when they appear. There is a (not inadvertent) side effect of this modification.

It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them, unless you already know that.

4. The Threat of the DES Chip

Chips to perform the DES encryption are already commercially available and they are very fast. The use of such a chip speeds up the process of password hunting by three orders of magnitude. To avert this possibility, one of the internal tables of the DES algorithm (in particular, the so-called E-table) is changed in a way that depends on the 12bit random number. The E-table is inseparably wired into the DES chip, so that the commercial chip cannot be used. Obviously, the bad guy could have his own chip designed and built, but the cost would be very high.

5. A Subtle Point
To log in successfully on the UNIX system, it is necessary after dialing in to type a valid user name, and then the correct password for that user name. It is poor design to write the login command in such a way that it tells an interloper when he has typed in an invalid user name. The response to an invalid name should be identical to that for a valid name. When the slow encryption algorithm was first implemented, the encryption was done only if the user name was valid, because otherwise there was no encrypted password to compare with the supplied password. The result was that the response was delayed by about one half second if the name was valid, but was immediate if invalid. The bad guy could find out whether a particular user name was valid. The routine was modified to do the encryption in either case. On the issue of password security, UNIX is probably better than most systems. The use of encrypted passwords appears reasonably secure in the absence of serious attention of experts in the field. It is also worth some effort to conceal even the encrypted passwords. Some UNIX systems have instituted what is called an "external security code" that must be typed when dailing into the system, but before logging in. If this code is changed periodically, then someone with an old password will likely be prevented from using it. Whenever any security procedure is set up to deny access to unauthorized persons, it is wise to keep a record of both successful and unsuccessful attempts to get at the secured resource. For example, an out-of-hours visitor to a computer centre normally must not only identify himself, but a record is usually also kept of his entry. Just so, it is a wise precaution to make and keep a record of all attempts to log into a remote-access time-sharing system, and certainly all unsuccessful attempts. Bad guys fall on a spectrum whose one end is someone with ordinary access to a system and whose goal is to find out a particular password (usually that of the super-user) and, at the other end, someone who wishes to collect as much password information as possible from as many systems as possible. Most of the work reported here serves to frustrate the latter type; our experience indicates that the former type of bad guy never Was very successful. We recognize that a time-sharing system must operate in a hostile environment. We did not attempt to hide the security aspects of the operating system, thereby playing the customary make-believe game in which weaknesses of the system are not discussed no matter how apparent. Rather we advertised the password algorithm and invited attack in the belief that this approach would minimize future trouble. The approach has been

successful.

Refresher Password Usage

Lets be honest, passwords are annoying. These days, we need a password or PIN everywhere. We have so many that we cant keep track of them all. We forget to update them; and when we do, its difficult to come up with effective ones that we can still remember, so we procrastinate changing them for months, even years. We all know this is bad, but the alternative the painful, irritating password creation and memorization process is sometimes more than we can tolerate. There is hope! Passwords dont have to be complex cryptograms. A few simple methods can help make living with passwords a little easier. While we may find them annoying, and even take them for granted, it is important to remember why passwords are important: passwords are often the first (and possibly only) defense against intrusion (MacGregor). They protect personal information information we dont want anyone and everyone to know. In our personal lives, this means financial information, health data, and private documents. In a professional context, this may encompass anything considered crucial to the success of the organization: trade secrets, financial data, intellectual property, customer lists, etc. Passwords are simpler and cheaper than other, more secure forms of authentication like special key cards, fingerprint ID machines, and retinal scanners. They provide a simple, direct means of protecting a system or account. For the sake of this article, well define a password as a word, a phrase, or combination of miscellaneous characters that authenticates the identity of the user. Passwords are generally used in combination with some form of identification, such as a username, account number, or e-mail address. While a username establishes the identity of the user for the computer or system, the password, which is known only to the authorized user, authenticates that the user is who he or she claims to be. This means that their function is to prove to the system that you are who you say you are (Russell).

Password Cracking
While passwords are a vital component of system security, they can be cracked or broken relatively easily. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorized entrance to a system or account. It is much easier than most users would think. (The difference between cracking and hacking is that codes are cracked, machines are hacked.) Passwords can be cracked in a variety of different ways. The most simple is the use of a word list or dictionary program to break the password by brute force. These programs compare lists of words or character combination against password until they find a match. If cracking codes seems like science fiction, search password cracker on Packetstorm or Passwordportal.net. There are also numerous password cracking tools available that any average person can use. (For more information on password cracking tools, please see the SecurityFocus article Password Crackers - Ensuring the Security of Your Password.) Another easy way for potential intruders to nab passwords is through social engineering: physically nabbing the password off a Post-It from under someones keyboard or through imitating an IT engineer and asking over the phone. Many users create passwords that can be guessed by learning a minimal amount of information about the person whose password is being sought. (For more information on social engineering please see the SecurityFocus

series Social Engineering Fundamentals) A more technical way of learning passwords is through sniffers, which look at the raw data transmitted across the net and decipher its contents. A sniffer can read every keystroke sent out from your machine, including passwords (University of Michigan). Its possible that someone out there has at least one of your passwords right now.

How To Choose Good Passwords?

Now that we have established the importance of passwords and some of the ways in which they may be vulnerable to cracking, we can discuss ways of creating good, strong passwords. In creating strong, effective passwords it is often helpful to keep in mind some of the methods by which they may be cracked, so lets begin with what NOT to do when choosing passwords.

No Dictionary Words, Proper Nouns, or Foreign Words

As has already been mentioned, password cracking tools are very effective at processing large quantities of letter and number combinations until a match for the password is found, as such users should avoid using conventional words as passwords. By the same token, they should also avoid regular words with numbers tacked onto the end and conventional words that are simply written backwards, such as nimda. While these may prove to be difficult for people to figure out, they are no match for the brute force attacks of password cracking tools.

No Personal Information
One of the frustrating things about passwords is that they need to be easy for users to remember. Naturally, this leads many users to incorporate personal information into their passwords. However, as is discussed in theSocial Engineering Fundamentals, it is alarmingly easy for hackers to obtain personal information about prospective targets. As such, it is strongly recommended that users not include such information in their passwords. This means that the password should not include anything remotely related to the users name, nickname, or the name of a family member or pet. Also, the password should not contain any easily recognizable numbers like phone numbers or addresses or other information that someone could guess by picking up your mail.

Length, Width and Depth

A strong, effective password requires a necessary degree of complexity. Three factors can help users to develop this complexity: length, width & depth. Length means that the longer a password, the more difficult it is to crack. Simply put, longer is better. Probability dictates that the longer a password the more difficult it will be to crack. It is generally recommended that passwords be between six and nine characters. Greater length is acceptable, as long as the operating system allows for it and the user can remember the password. However, shorter passwords should be avoided. Width is a way of describing the different types of characters that are used. Dont just consider the alphabet. There are also numbers and special characters like %, and in most operating systems, upper and lower case letters are also known as different characters. Windows, for example, is not always case sensitive. (This means it doesnt know the difference between A and a.) Some operating systems allow control characters, alt characters, and spaces to be used in passwords. As a general rule the following character sets should all be included in every password:

uppercase letters such as A, B, C; lowercase letters such as a, b,c; numerals such as 1, 2, 3; special characters such as $, ?, &; and alt characters such as , , . (Cliff)

Depth refers to choosing a password with a challenging meaning something not easily guessable. Stop thinking in terms of passwords and start thinking in terms of phrases. A good password is easy to remember, but hard to guess. (Armstrong) The purpose of a mnemonic phrase is to allow the creation of a complex password that will not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as ImuKat! (instead of Im a cat!) or the first letters of a memorable phrase such as qbfjold* = quick brown fox jumped over lazy dog. What may be most effective is for users to choose a phrase that is has personal meaning (for easy recollection), to take the initials of each of the words in that phrase, and to convert some of those letters into other characters (substituting the number 3 for the letter e is a common example). For more examples, see the University of Michigans Password Security Guide.

Extra Protection
All of the good password cracking programs include foreign words, backwards words, etc. And the easiest way to steal a password is by asking for it, so its simpler to never give it away. In some cases, a good password is enough protection to keep out intruders. In others, its just a start. Encryption and one-time passwords add extra protection to systems. Encryption means garbling the password to protect from sniffers or other onlookers, through a particular scheme that can be deciphered from the other end of the connection. One-time passwords (S/key is the most commonly used) are just that. They can be used only once. This requires carrying a list of passwords or having a special password calculator or SecureCard, but can be a very reliable method of password security. There are also certain behaviors that users should practice in order to maximize the effectiveness of their passwords. Users should avoid using the same password on multiple accounts. Doing this creates a single point of failure, which means that if an intruder gains access to one account, he or she will have access to all of the users accounts. Users should never disclose their passwords to anybody unless they know them to be authorized (i.e., systems administrators). Even then, passwords should only be disclosed in person (not over the phone or by e-mail) to a known, trusted source. Users should exercise extreme caution when writing down or storing passwords. Stories of hackers obtaining passwords through shoulder-surfing and dumpster diving are not urban myths, they are real. Users should resist the temptation to write down passwords on Post-It notes stuck to their monitors or hidden under their keyboards. Instead, they should choose passwords that they will be able to remember not an easy task given the complexity required of strong, effective passwords. There are always extraneous circumstances where we must write down passwords. This is not recommended, but if it must be done, it should be done with forethought, not haphazardly. The extreme example of too many passwords is contract system administrators, who have multiple clients and machines. For these people, the only advice is to write down the phrases or some

sort of related thought to jog your memory and put it on a piece of paper carried on your person. Maybe photocopy that and leave that stored in a safe place at home. Never put it on a Post-It. Never store it online. An obscured hint might be okay, but never the actual password or even an encrypted version.

Changing & Storing Passwords and PINs

In order to ensure their ongoing effectiveness, passwords should be changed on a regular basis. Changing passwords securely is fairly simple. Windows passwords are changed through the Control Panel and in UNIX, the passwd command generally does the trick. A good rule of thumb is to change passwords as close to the actual account as possible. For example, if its an ISP account, dont telnet through three other machines to change that password. If its an office computer, users should be on that computer and not on a co-workers when changing it. Dont let anybody watch while typing the old and new passwords. If at all possible, the password should be changed over a secure connection like a secure shell (SSH). How often one should change passwords really depends on the account. Online financial accounts should be changed every month or two. Corporate network passwords should be changed every 3-4 months. A recent 2600article recommended considering the sensitivity of the resources which you are trying to protect and suggested enforcing password changes somewhere between once per fiscal year and once per fiscal quarter (Thomas). Just use good judgment and dont be lazy. Changing a password is relatively quick and painless compared to the irritating and expensive process of combating identity theft.

Tips for Organizations and Network Administrators

Managers and administrators can enhance the security of their networks by setting strong password policies. Password requirements should be built into organizational security policies. Network administrators should institute by regular changes/updates of passwords. They should also regularly remind users of how easy it is for hackers to get their passwords through social engineering and online attacks. New users should be taught about good password practices. Providing intranet resources on network security and password security can also be helpful. Finally, the organizations password policy should be integrated into the security policy, and all readers should be made to read the policy and sign-off on it. Systems administrators should implement safeguards to ensure that people on their systems are using adequately strong passwords. They should set password expiration dates on all programs being run on the organizations systems. Keep a password history to prevent reuse, and lock of accounts after 3-5 password attempts. Keep the number of people in the organization who have these passwords as small as possible. The organization should also use newer versions of OSs that have more secure password files and authentication protocols. Keep your individual account passwords updated as well. Finally, when installing new systems, make sure default passwords are changed immediately.

New Years Resolution

Obviously, passwords are just one piece of the puzzle. Other pieces are general user education, good physical security, plugging network holes, and installing strong firewalls. These provide much more global protection in the controlled corporate environment than passwords alone, but in areas where the only method of control users have is a PIN or password, the best thing we can do is be aware of security risks and keep up with their password controls.

One of the problems with passwords is that users forget them. In an effort to not forget them, they use simple things like their dogs name, their sons first name and birthdate, the name of the current month- anything that will give them a clue to remember what their password is. For the curious hacker who has somehow gained access to your computer system this is the equivalent of locking your door and leaving the key under the doormat. Without even resorting to any specialized tools a hacker can discover your basic personal information- name, childrens names, birthdates, pets names, etc. and try all of those out as potential passwords. To create a secure password that is easy for you to remember, follow these simple steps:
1. Do not use personal information. You should never use personal information as a part

of your password. It is very easy for someone to guess things like your last name, pet's name, child's birth date and other similar details.
2. Do not use real words. There are tools available to help attackers guess your password.

With today's computing power, it doesn't take long to try every word in the dictionary and find your password, so it is best if you do not use real words for your password.
3. Mix different character types. You can make a password much more secure by

mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as '&' or '%'.
4. Use a passphrase. Rather than trying to remember a password created using various

character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word. For example, rather than just having a password like 'yr$1Hes', you could take a sentence such as "I like to read the About.com Internet / Network Security web site" and convert it to a password like 'il2rtA!nsws". By substituting the number '2' for the word 'to' and using an exclamation point in place of the 'i' for 'Internet', you can use a variety of character types and create a secure password that is hard to crack, but much easier for you to remember.
5. Use a password management tool. Another way to store and remember passwords

securely is to use some sort of password management tool. These tools maintain a list of usernames and passwords in encrypted form. Some will even automatically fill in the username and password information on sites and applications. Using the tips above will help you create passwords that are more secure, but you should still also follow the following tips: Use different passwords. You should usea different username and password for each login or application you are trying to protect. That way if one gets compromised the others are still safe. Another approach which is less secure, but provides a fair tradeoff between

security and convenience, is to use one username and password for sites and applications that don't need the extra security, but use unique usernames and more secure passwords on sites such as your bank or credit card companies. Change your passwords. You should change your password at least every 30 to 60 days. You should also not re-use a password for at least a year.

Enforce stronger passwords: Rather than relying on every user of the computer to understand and follow the instructions above, you can configure Microsot Windows password policies so that Windows will not accept passwords that don't meet the minimum requirements.

9 Password Security Policies For SMBs

A state-of-the-art security system won't much matter if a hacker gets a hold of an employee's password. That's much more likely to happen if you take a laissez-faire approach--or none at all--to creating and protecting passwords. Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don't need to take up much time, either, especially once your policies and procedures are in place. "Password policy is something that's often overlooked, but it's an important part of keeping secure in an online world," said Morgan Slain, CEO of SplashData, in an interview. "It's something that SMBs can implement pretty easily." Here are nine steps toward safer, stronger passwords--and toward keeping them that way--both in the real and mobile office.
1.

Use complex passwords: Whether you've been flying by the seat of your pants or
are a full-fledged security wonk, go back to the basics. "Those are things that everyone tends to slack on," Slain said, because ignoring the obvious steps is easy to do. The first of those steps: Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters--at least eight in total. Because "complex" can sometimes mean "easy to forget," Slain suggests using memorable phrases broken up by spaces, special characters, and/or numbers. "Those can create pretty robust passwords that are a lot easier to remember," Slain said.

2. Don't reuse passwords: This one's a must, yet it remains a common danger. Employees that use the same password across multiple systems--often both professional and personal--to keep things simple can turn a minor, isolated issue into a major security breach. Slain points to the recent Zappos case that exposed external customer passwords as an example. Unique passwords help stop the bleeding much faster if a password is leaked or stolen--otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice, Slain said, should be to not re-use credentials for sensitive applications such as financial information across less sensitive--and often less secure-areas such as a blog publishing tool.

3.

Change passwords regularly: It's the last piece of the holy trinity: Change your
virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.

Go Beyond Basics
4.

Double-down on email accounts: Slain thinks too many SMBs get lazy with their email passwords, leading to larger-scale problems "Those are the holy grail for thieves," he said, particularly for online applications that use the ubiquitous "Forgot Password" feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet--particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts. Restrict application settings: Particularly for online and mobile applications,
it's a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.

5.

6.

Consider a password wallet: One password pitfall common inside SMB offices
is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. "That way it's easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are," Slain said.

Manage the Mobile Morass

7.

Use a device-lock app: The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring--or at least strongly encouraging--staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity. Don't jailbreak or root phones: This one's likely to be a particular concern for
SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.

8.

9.

Fully exit apps: Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That's a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users, Slain points out, must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.