How we're failing with password security

Kristina: Password security has been a buzzed about phrase for a few years, and yet still it seems like most people ignore it. Why is that?

Bill Carey, Vice President of Marketing/Business Development, Siber Systems: Passwords are absolutely essential to restrict access to valid users. Unfortunately, our list of passwords keeps growing. It's now common for a typical computer user to have 20 to 30 different passwords or more. The main reason people ignore common password security practices is that they cannot remember more than three to five strong passwords at a time. And when users need to change their passwords frequently, it becomes increasingly difficult. Because of the difficulty involved, users often:

• Forget their passwords, which requires numerous calls to the helpdesk to retrieve or reset their passwords.
• Write down their passwords or store passwords in unsecured files on their computer, which reduces the effectiveness of a secure password.
• Rely on the browser, cookies or an unsecured website to remember their passwords.
• Use simple and easy to remember passwords that can be compromised without difficulty.
• Recycle and reuse combinations of the same passwords.

Kristina: On a personal level, many people have upgraded their security passwords or questions. Why aren't they also making that change for their professional accounts?

Bill: Many times professional accounts do not have security questions. In a typical corporate setting, the IT department is focused on the password. The company may put into place certain parameters for establishing a strong password such as:

• Passwords must be a least 6-8 characters long.
• Passwords should never be a common word found in the dictionary and should contain at least one letter and one digit. Even stronger passwords should contain at least one punctuation mark or special character.
• Passwords should contain a mix of uppercase and lowercase letters.
• Passwords should be changed every 30 days.

But there is typically no easy way for users to recover their password if it is forgotten. In most cases, the user will have to call the IT department to request a password reset. There is usually no way to do a reset by answering security questions.

More from Bill and Siber Systems tomorrow, including his top tips for overhauling business password plans.

Tags: business security, online passwords, online security, Siber Systems