Picky About Passwords: From Retina Scans to Password Audits, Tips to Keep Your Computer Secure

They’re your first line of defense, and sometimes your only line. In today’s world, passwords are a vital part of protecting your assets. Yet with all the concern around information security, they too often get overlooked. Every month, computer processing power increases, and the available password-cracking tools operate more efficiently. And every month, more people are victims of hackers because they make common password mistakes they could have avoided. Fortunately, technology is also advancing to help relieve the security headaches of companies and individuals alike. By following a simple set of best practices for choosing and managing passwords, a company can strengthen its first line of defense.

Performing a password audit during an annual technology risk assessment is a smart way for organizations of all sizes to assess security. A manual review of system controls (password requirements) and an automated dictionary and brute force attack using password-cracking tools simulates what a malicious, knowledgeable insider might do to gain access with minimal effort. Once you’ve tracked and exposed the areas of weakness, you can implement safeguards to strengthen or eliminate them.

Two-Factor Authentication

Passwords are used to authenticate a user. For those serious about authentication, one way to strengthen security is to administer Two-Factor Authentication. While Two-Factor Authentication is historically more costly, intrusive, and complex to integrate, it is becoming more widely accepted, which is driving down costs and simplifying integration. This authentication relies on a layered approach to protect users by relying on what you know (your password) in addition to a second form of verification: what you have (smart card, digital certificate) or who you are (Biometrics).

A smart card is similar to the cards often used for secure building access. The computer user must scan their smart card on an attached reader in conjunction with entering the correct password to access their computer. As an added bonus, some smart cards also support encryption.

Public Key Infrastructure, or PKI for short, provides a digital certificate that can identify an individual or an organization. It is a way for computers that do not know each other to verify that they are who they say they are. Essentially, it is a relationship of trust. I know you, and I also know my friend Steve. When I introduce you to Steve, Steve trusts that you are who I say you are, and likewise.

Biometric devices interpret unique fingerprint, voice, or retina scan results to identify a person. This is the most accurate way to verify who you are. It is also, however, the most invasive (using a body part to authenticate oneself), which isn’t always viewed positively by the public.

As Two-Factor Authentication becomes easier to integrate and demand rises, the cost of implementation will continue to drop. However, for many, the immediate concern is — what can be done about my password today? Perhaps the easiest solution is to begin at the source — the password itself. Following a few simple tips for choosing a password will not only increase the security of your computer, but your peace of mind as well.

Best Practices for Password Protection

1. Choose a good password. Easy for you to remember usually means easy to figure out. The typical user has so many passwords to keep track of they often choose passwords that are far too simple. Passwords like: “password1,” “1234567,” “engineer,” “attorney,” your last name, etc. These simple passwords take only minutes to crack. Passwords should be at least eight characters — more if possible. Use upper and lower case letters, numbers, and symbols mixed together. Use Leetspeak, or digital slang, made common with instant and text messaging. And remember, the longer and more complex the password, the harder it is to crack.
   
   
2. Change it like you change your oil. Passwords require maintenance just like your car. They need to be changed to continue to give you reliable service. About every 90 days, change your password. 
   
   
3. If you need to write it down, write it somewhere safe. A sticky note on your monitor or under your desk blotter is not a safe place. No visible or easily guessed location is safe. If you need to write your password down, write it somewhere confidential. Better yet, keep it in a locked location.

It only takes one weak password to compromise a company’s security. If a malicious, knowledgeable insider gets their hands on encrypted password files, proprietary data or trade secrets could be lost. It’s the personal responsibility of each individual to choose a good, strong password, change that password routinely, and keep it safe — at least until those retina scanners come down in price!

About the Author

Kevin Patterson is the director of technology risk management for the Pittsburgh office of Jefferson Wells. He can be reached at 412-316-3160, or via email at kevin.patterson@jeffersonwells.com.

Jefferson Wells is a global provider of professional services in the areas of internal audit and controls, technology risk management, tax, and finance and accounting. It serves clients, including Fortune 500 and Global 1000 companies, from more than 50 offices worldwide.