Passwords

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

Passwords have become ubiquitous such that many consumers, and many employees, may have dozens of passwords that permit them to access dozens of different systems, services, networks or terminals.  From a corporate perspective, many companies have at least two policies that impact passwords – a password selection or management policy, and a security policy that may include how passwords maintained by the company are secured.

A password selection or management policy discusses an organization’s standards for password assignment, and password strength (i.e., how complex the password that a user selects must be in order to avoid the password from being stolen or guessed).  For organizations that maintain lists of passwords, several states have enacted legislation that require the organization to “implement and maintain reasonable security measures to protect” the username and passwords that are in their possession.  As a result, whether the organization maintains a system that allows third party users to create password controlled accounts is often a factor that is considered when conducting a data inventory or a data security assessment.  One of the primary concerns is that even if the service or database for which the username and password are used may not be sensitive, or house other categories of sensitive information, people often re-use their usernames and passwords for multiple services or systems.  As a result, if a bad actor is able to obtain a username and password for an individual that relates to a non-sensitive system maintained by one organization, the bad actor may be able to leverage those credentials to try to access a sensitive system held by a different organization.

10%

Percentage of people that use one of the top 25 “worst” passwords (i.e., most easily guessed by hackers). 1

4%

Percentage of people that one study found 
still use the password "123456." 2 

81% 

Percentage of hacking-related data breaches that 
leveraged a weak or stolen password. 3

What to think about when designing or reviewing a password selection or use policy:

  1. The more characters required for a password generally the more difficult it is for an attacker to guess a password. Consider whether it is practical to require a long password (e.g., twelve or more characters).
  2. If only alphabetic characters are allowed there are only 26 different combinations that an attacker needs to consider for each character of the password. Allowing (or requiring) a larger character set increases the number of possible combinations. As a result consider making passwords case sensitive (i.e., increasing the range of possibilities by an additional 26 characters), alphanumeric (increasing the range of possibilities by an additional 10 characters), and include symbols (further increasing the range of possibilities for each character).

1  https://www.teamsid.com/worst-passwords-2016/ (last viewed June 2017).

2  https://www.teamsid.com/worst-passwords-2016/ (last viewed June 2017).

3  Verizon, 2017 Data Breach Investigations Report at 3 (10th Ed.).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© BCLP

Written by:

BCLP
BCLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide