Instituting Strong Password Guidelines and Policies

Instituting Strong Password Guidelines and Policies
Page content


Earlier this year, in January, Google and Adobe were hacked into by Chinese programmers. Information about their algorithms and intellectual properties was stolen, as well as the names of gmail account holders that the Chinese government viewed as dissidents. Later, at a security conference, the security firm HBGary was hacked, to their infinite embarrasement.

The first hack, on Google, was extremely sophisticated and came as a surprise to many people who became aware of the attack. The second hack, on HBGary, used a combination of software vulnerabilities and social engineering to pull off the attack. In that case passwords were compromised because at the corporate level they did not follow common sense guidelines about how to protect passwords.

The first attack was the 10% attack, meaning that including even the most sophisticated firms– that is,10% of all firms–can’t withstand this kind of encroachment, notwithstanding their most sophisticated models of protection. The second attack was the 80-90% attack, meaning that anyone without proper common sense guidelines would be vulnerable. Most business enterprises fall in the 80-90% range and are vulnerable, but if their security policies are followed they will be protected from everything except the most sophisticated hacks. Here are some strong password guidelines that everyone should follow.

See Also: Why You Need an Information Security Policy

What is a Strong Password?

Passwords are at the front line of defense. Many users find them inconvenient and will tape the password to their screen or use something obvious like their name as the password. A strong password has multiple factors that are designed to make it difficult for hackers to break in.

  • Length: Passwords should not be short; rather, 7-10 characters should be the minimum size.
  • Types of characters: Passwords should have a mix of characters, numbers, upper and lower case letters, and even special symbols.
  • Obviousness: Passwords should not be deciberable by looking at them. Substituting a 0 for o is not a g00d ch0ice.
  • Well known: Passwords should not be well known; a password of password is definitely out, but so is the name of the company that you work for.
  • Recurring: Passwords should not be recurring; modifying one letter or character in a password by adding the number 1 at the end does not make it secure.
  • Time frame: Passwords should be changed every 30-45 days.
  • Giving out passwords: Do not give out passwords to friends, co-workers, or others. If you do, change them immediately afterward.

SeeAlso: What Is Your Employer’s Computer Security Policy?

What Hackers Look For

Why are strong passwords needed? Hackers look for the easiest way into a network or PC. Believe it or not, the easiest way for a hacker to enter a protected site is not to use some sophisticated technique à la Google. Rather, it is through social engineering. In fact the hack into HBGary was done just that way. A hacker called the company pretending to be an executive and asked for the password to get into the system (see the references section for more details). It was that simple, and it brought the house down.

Secondly, there are many tools that can be used to break passwords, but the stonger the passwords the longer it will take to get into the system. This brings us to the second thing that hackers look for–quick access. If it takes them two or three hours or longer to break in, the hacker will probly quit.

So strong password guidelines include a password that is hard to break, that will take a long time to break, and that will be changed frequently.

For more information about security see: Security Basics - Components of Security Policies


Microsoft Safety and Security Center, retrieved at


What is a Strong Password?