• Passwords, security and managers: what is current best practice

Passwords, security and managers: what is current best practice

10 February 2020

The world of password security is a paradox between integrity and ease of use. Many cyber security specialists are recommending a departure from complex, hard-to-remember character strings, as well as suggesting passwords should be changed less frequently. Nigel Morris from BDO’s Technology Advisory Services (TAS) team explores the best practices that will make your company more secure and your life a lot easier.

Where there’s a password, there’s a risk of a security breach. Over the last three decades, businesses have been relying on security measures that generate passwords which are hard for humans to remember, but easy for computers to guess. Combine this with the ever-expanding range of logins that your employees own, both at work and within their personal lives, whilst avoiding use of the same password more than once, and the situation begins to look unmanageable.

If your IT passwords consist of random characters that can’t be memorised, your employees could be writing down their passwords. We’ve all seen passwords on post-it notes stuck to computer screens. When prompted to change passwords, they may be using sequential numbering (‘myp4ssword1’, ‘myp4ssword2’, ‘myp4ssword3’, and so on), or perhaps they are using the same password for multiple systems. All of these habits are creating weaknesses in your cyber security. To ensure your IT manager is handling password security in the right manner, talk to them about password entropy and your company’s password expiration policy.

Understanding password entropy

Password entropy is a measure of how easily a password can be cracked. It is based on two key factors, character set (which can be extended by using lowercase, uppercase, symbols and numbers) and password length. As expected, the wider the character set used and the longer the password length, the more difficult it will be to crack the password. Best practice was once a minimum of eight characters selected from the extended character set. However, as processing speeds of CPUs (central processing units) have increased, and brute force cracking and dictionary attacks can be orchestrated faster and more efficiently, eight characters may no longer be enough.

Easy to remember, but hard to crack

Password entropy should not be the only consideration as passwords can become too long, complex and impossible to remember. Think about employing a password policy built on creating something memorable to the user, but not easily guessed by anyone else. As password length is the most important factor affecting password entropy and overall strength, a longer, memorable password can be more effective than a shorter, more complex choice. Examples include:

  • Combining three or four unrelated words, perhaps capitalising the third character of each word (if three words, to aid recall) or fourth character (if four words)
  • Taking a memorable phrase and using the first letter of each word to build the password, for example, ‘the first time I saw a giraffe was when I was on safari’ becomes ‘tftisagwwiwos’
  • Creating a personal algorithm by using one of the options above, and adding the name of the system you’re logging onto at the end. This ensures both password strength and a memorable password that can be modified to work across multiple systems without duplication

It’s also worth including at least one upper case letter, one lower case letter, one number or one special character if at all possible.

In it for the long run

As the board member responsible for IT, you need your employees to be using strong, secure and unique passwords all the time. A 90-day rule weakens this. Decades ago, it could take 90 days to crack a password, but now, if the password is weak, it takes seconds. If your system becomes compromised, it’s highly likely that by the time the passwords are changed, the damage has already been done. Regular password changing gives the impression of a secure IT system, but may be doing your business more harm than good, and frustrating your employees in the process.

The rise of the password manager

Another route to consider is the password manager. Password managers are applications that generate, store and autofill your employees’ passwords. This makes it easier for users to create individual passwords for each system, service and website, without having to commit them all to memory. The use of advanced encryption technologies means passwords are kept safe and even synchronised between devices. On the downside, password managers require a master password to activate them. This needs to be highly secure and memorable, as the security of every password stored within the manager depends upon the integrity of that single password. Weigh up the advantages and disadvantages of implementing a password manager before making the decision.

Putting it all together

Is it time for your IT manager to evaluate your company password policy? Are your employees required to change passwords on a regular basis? Is there a tendency to use incomprehensible and complex passwords that cause frustration? If so, make the change and ensure your employees are using highly-entropied, but memorable passwords. Also, consider the potential of password managers and ensure password policy is included in your wider security audits. For additional security you should implement Multi-Factor Authentication (MFA). If your passwords are exposed having this extra layer of protection helps reduce the risk. See our previous article Multi-factor authentication (MFA): what you need to know and how it affects your business. Whatever route you take, make sure you have a password policy that works for your business and your employees.

The BDO difference

Here at BDO, we understand the challenges that the non-technical board member faces when they become responsible for IT. Our Technology Advisory Service (TAS) team has an extensive hands-on track record of delivering strategic, operational and technical IT advisory services. We’ve developed our services with the non-technical board director in mind and we provide management and support services to suit each client’s needs.

Please contact Nigel Morris to find out more about our practical independent advice and IT support services.

Discover similar articles