When it comes to protecting data, one of the biggest challenges for IT is getting users to follow best practices for password protection. However, many organizations try to enforce practices that do little to actually make passwords more secure.
Here are a few of the most common password security myths many companies still believe:
1. Special characters are what matters
Users are often advised to create passwords using a variety of character types — capital and lowercase letters, punctuation marks, etc. The thinking goes that when the character set is limited to just lowercase letters, passwords are easier to guess in brute force or dictionary attacks.
While that makes sense, incorporating variety doesn’t have nearly as big an impact as simply increasing the length of the password, according to a new infographic posted by McAfee’s Robert Siciliano.
The security firm offers the example of the password “Br3ak1ead&7″. If a hacker used a software tool that could guess 1,000 passwords per second, it would take three days to crack the account.
In comparison, the password “thunder showers before sunset” would take 550 years to crack using the same tool. On the surface, it seems simpler, but the greatly increased length makes a big difference.
McAfee recommends using multi-word phrases, with spaces between words when sites allow them, and dashes when they don’t.
2. Password checkers guarantee complexity
Many websites and software programs try to enforce password security by requiring passwords of a certain length and with certain elements.
For example, Microsoft’s Active Directory requires passwords to be at least six characters, and use three out of the five character types (lowercase letters, capital letters, numbers, non-alphanumeric characters, and Unicode characters).
So what do many business users choose for a password? “Password1“, according to a study from IT security firm Trustwave. It’s technically “complex” enough to meet the software’s requirements, but it would still be easy for a hacker to guess.
3. IT employees know better
Actually, IT staffers likely know better than regular end users why secure passwords are important — but that doesn’t always mean they behave as if they do.
Many cyber attacks are carried out by exploiting the default passwords used for networking equipment, software systems and other items administered by IT departments. For example, a group of TV stations recently had their emergency broadcast systems infiltrated because their IT employees never changed the passwords for some equipment after it was shipped by the manufacturer.
IT departments need to set a good example regarding password security. That means making sure tech employees choose strong passwords for themselves, as well as that users are given accounts protected by strong passwords. For example, if a new employee starts and the password for her email account is “12345″, that sends a bad message about the importance of secure passwords.
4. Mandatory password resets are necessary
Some organizations require users to periodically change the passwords for their accounts. However, that may be an outdated way to enforce password security, according to Paul Ducklin and Chester Wisniewski of Sophos.
In fact, those requirements can be a negative because they force users to choose simpler passwords that are easier to remember. The only time users really need to change their passwords? When there’s reason to believe their credentials have been compromised, Ducklin and Wisniewski say.
5. What’s true about password protection today will remain true
One thing to keep in mind as IT departments set password security rules: Hackers’ methods for getting into accounts are evolving along with password protection trends.
New tools can help cyber criminals crack more difficult passwords. For example, security researchers at Carnegie Melon University recently demonstrated a new password-cracking algorithm that can understand grammar to crack passwords built from phrases.
The key to better password protection: Continually update policies and tips for choosing secure passwords. And, as many experts point out, it may be time to stop relying so heavily on passwords and use other methods such as two-factor authentication for the most sensitive accounts.