Enterprises looking to maintain IT infrastructure integrity and deter hackers from attacking employees' passwords, can tap software and simple guidelines to generate secure passwords, according to a security specialist.
Ronnie Ng, Symantec's manager of systems engineering in Singapore and Indonesia, noted that there are systems and configuration management software, which include components and policies that allow IT administrators to enforce strong password guidelines within the organization.
Recent security incidents have stepped up the need for robust secret code. Last month, 20,000 passwords obtained from a phishing scam turned up on a third-party Web site, revealing login credentials to Windows Live Hotmail, Gmail and Yahoo Mail accounts, among others. A subsequent analysis of the compromised passwords revealed that many users were tardy in creating secure passwords.
Viruses such as Conficker and Gumblar, have already attacked the IT infrastructure of organizations such as the Australia and New Zealand Banking Group.
With these in mind, here are five considerations to strengthen passwords and the password-generating process, for both work and play.
- Use tools that automatically generate random passwords
IT professionals, Symantec's Ng noted, should make use of business software that allow the automatic generation of random passwords based on a fixed schedule.
"So even if a certain password somehow becomes compromised, it will only be good until the randomization expires, and it will only apply to [a] particular computer," said Ng.
- Use alphanumeric characters and unique symbols to create stronger passwords
Alphanumeric characters with a mixture of upper and lower case letters, numbers and symbols, will make it tough for hackers to crack. Employing this approach will make passwords "as meaningless and random as possible", according to Ng.
Tech author and columnist J.D. Biersdorfer, noted in a video for the New York Times that such characters and symbols should also be worked into the answers of your challenge questions.
- Instead of mnemonics, try a 'pass-phrase'
Researchers at the Carnegie Mellon University in the United States have found out that using mnemonics, which require users to generate a password using the first letter of every word in a sentence, are not as secure as initially thought.
According to a Newsweek article, 144 volunteers were each asked to create a mnemonic password in a study conducted in 2006. The researchers then built a simple program to scour the Web for famous quotes, ad slogans, song lyrics and nursery rhymes, amassing 249,000 entries. Using this list, which is a relatively small universe of phrases in the security field, the researchers cracked 4 percent of the group's mnemonic passwords, proving that this method has its fallibility.
Far more secure are pass-phrases such as "du-bi-du-bi-dub", which would withstand a brute force attack--in which a hacker attempts "a," then "ab", then "abc", and so on--for "531,855,448,467 years", according to the report. So think long, but easy to remember phrases, the next time you generate a password.
- Change passwords periodically
According to Symantec's Ng, organizations should incorporate system prompts to alert employees to change their password every 45 to 60 days. Frequent password changes result in higher security, making it more difficult for intruders to access company data using outdated passwords. "But do strike a balance as overly frequent changes may hinder productivity," he noted.
- Avoid generating passwords using personal information
Internet users have a common headache: there are too many passwords to remember. Today, with Web-based email programs, Internet banking accounts, instant messaging tools, and corporate office computers among some of the more common systems or equipment requiring a password to authenticate entry, it is hard work for users to remember all their passwords.
However, users should not base passwords on the convenience of their personal information, Ng pointed out. Such data include names, nicknames and birth dates.
Former Governor of Alaska in the U.S., Sarah Palin, is a cautionary tale. Last year, her personal e-mail account was hacked into by a student, who simply searched the Web to find out Palin's birth date, postal code and where she had met her husband to crack her security code.