Why strong passwords aren’t enough – three tips for a better password policy

 By JOE HOWLAND
VC3

We recently heard an anecdote from a security executive that illustrates the need for much stronger password policies at municipalities.
(We altered the details of the anecdote to protect our source. However, the gist of the anecdote will make his point clear.)

An organization in Tennessee has 1,000 employees. During a security audit, 117 employees were found to be using the password “Volunteers2019.”
Immediately, the security executive implemented a stronger password policy that caused employees to reset their passwords and eliminated the chance of such a common password from being used in the future.

What’s interesting is that each employee selected their password individually, thinking it was unique! None of the 117 people knew about anyone else’s “unique” password.
Many employees know not to use “password” anymore, but a problem persists. Sports teams, TV shows, celebrities, pet names, and children’s names don’t make strong passwords.

They are too common.
Here are three ways tips for a better password policy—from good to better to best.

Good: Strong Passwords
Enforcing the use of strong passwords avoids the issue of employees choosing common or easily hackable words and phrases. Strong passwords may be:
Passphrases: A passphrase is a long phrase easy for you to remember (such as “Theredh0rseis2fast!”) but hard for hackers to guess. The longer a password, the more difficult it becomes to hack. You would still need to mix in a few numbers and symbols for good measure.
Complex Passwords: While not as memorable as a passphrase, a complex password involving a string of letters, numbers, and symbols can also still work as a less hackable password.

Strong passwords are a good tactic, but hackers can still crack them with enough effort.

Better: Password Manager
If you haven’t heard about password managers, they are services that automatically generate strong passwords, remember all your passwords, and encrypt them. Once implemented, they tend to work smoothly in the background and make your life easier. Some benefits include:
Automated generation of strong passwords: A password manager can automatically generate strong complex passwords for you and encrypt them.
Shoring up employee password weaknesses: With a password manager, employees cannot use weak passwords or reuse the same password across multiple accounts.
Ease to support adoption: Implementing a password policy becomes easier for employees resulting in a password policy that’s actually used and enforced.

Best: Two-Factor Authentication (2FA)
Despite what you may hear about its inconvenience, 2FA dramatically increases your login security.
Large reduction in the chance of getting hacked: In 2018, a Verizon Data Breach Investigations Report noted that 81% of company data breaches occur because of poor passwords. With 2FA, you add an extra step that makes it much, much more difficult for a hacker to succeed. While 2FA isn’t hacker-proof, it places an additional barrier—physical access to your smartphone—in front of the hacker to overcome.
Ease of use: 2FA works when you get a code through text messaging or an easy-to-install app (such as Duo Mobile or Microsoft Authenticator) that gives you a randomly generated code every 30 seconds or a “push notification” where you just press OK to confirm your login.
No IT investments or infrastructure needed: 2FA is cheap. It’s often baked into existing applications and the implementation generally involves receiving a text or installing a free app on a smartphone.

We encourage you to explore the options discussed above and implement the strongest password policies possible. Weak passwords put your city at risk.

About Joe Howland 
Joe has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries. Joe joined VC3 in 2009. He is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers.