Password1234
We all know this isn’t a secure password, but at the same time, we all know at least one person (friend, family, co-worker, association) who literally uses the password above.
What you may also know is that basic password complexity requirements for associations can create a mountain of support tickets and cause you to be the most-disliked person in the IT department.
“Ugh. Why so long!? How am I supposed to REMEMBER all that?”
Apart from being customer support nightmares, these people also put the rest of the members of their association at risk for cyber attacks like unauthorized breaches.
Password security isn’t usually thought of as part of an association’s culture, but it really should. Without a culture of security around your logins, you are likely to increase your vulnerability to cyber attacks, interruption of work, and dissatisfied customers. There are a few different layers to association cybersecurity, namely: password generation, technical aspects, and user adoption.
In our free ebook Overhauling Password Behavior at Your Association, we give you the tools to brush up on basic password complexity requirements for associations and their software and strategies on how to make sure they’re followed. Oh, and some tips about how to keep your password reset support ticket volume low by educating your members how to create (and remember!) secure passwords.
The trust your members have in your association starts disintegrating when you have to email them that your association has been the victim of an unauthorized breach due to password security issues. Members will not renew if their trust is gone.
In order to recognize (and overhaul, if necessary) the password behavior at your association, you’ll need some background on entropy, best practices for password complexity, and combating brute force hacking.
Let’s get started.
What is Entropy?
Entropy, specifically in regard to passwords, is a measure of how unpredictable a password is, or how difficult it is to guess. Entropy is measured in “bits.”
- Password is known = 0 bits
- Password can be guessed on first attempt 50% of time = 1 bit
- And so on
Nerd alert: By finding the entropy of each password character, which is a log base 2 of the number of characters in the set used, you can multiply by the numbers of characters of the password itself to find its entropy.
Essentially, a password with X bits of entropy will take 2X tries in a brute force attempt to guess a password.
Using more characters and/or using a larger character set causes entropy to rise by virtue of having more bits. Each bit added to the entropy makes it exponentially harder to hack a password.
When websites or applications require minimum character length or set, they’re ensuring a certain level of entropy. This precaution is designed mainly to combat brute force cracking attempts, as we’ll discuss in detail further in this blog post. Obviously, if a password is know (from human error, phishing, or theft) then the level of entropy is useless.
There is no “right or wrong” with entropy—it’s simply that more bits is always better.
Best Practices for Password Complexity
Now that you understand the science of information entropy and how it relates to passwords, character count and set, let’s look at some practical tips that you can use to bolster the password behavior of your association members or coworkers.
Minimum Character Count
As discussed above, character count has the biggest effect on entropy—the more the better. In practice, eight characters is usually the minimum requirement for lower threat level websites and applications.
Financial institutions and other services that house important personal data often have a higher character count requirement. With modern cyber hacking techniques, minimum 13-character passwords are becoming more common.
It’s important to assess the threat level to your association when determining your minimum character count for password requirements.
Expanded Character Sets
Ah yes, the dreaded “Your password must include a symbol such as ! or *” command.
For some reason, most users seem to hate this requirement, along with the fact that they need a capital letter.
Is it slightly more trouble for the user? Yes.
Is it exponentially more difficult for an authorized breach of your information? Yes.
This requirement is fundamental to the security of your membership website or application. It’s absolutely necessary that your members understand that this added step is not frivolous—it’s helping to keep the entire environment of the association safer.
Combating Brute Force Hacking
We mentioned brute force hacking above, but to be absolutely clear, here’s a quick explanation:
A brute force attack is a trial-and-error method to try and obtain your password. Basically, automated software continually guesses (up to thousands of times per second) until it gets the right combination of letters, numbers or symbols.
Programs that are capable of this behavior are frighteningly widespread and it’s crucial to have safeguards in place to combat them.
Here are some ideas that can help decrease the chance of a brute force hack working its way through your passwords, but also increase the overall security for members and employees:
Threshold Governors
When a brute force attack occurs, many times it’s coming from one computer or bot. This means that the actions carried out (which are commonly setting up accounts, authentications, and password changes or resets) will usually come from the same IP address. Using a commonality, such as an IP address, you can prevent too many of these actions from occurring by instructing your system to recognize behavior that’s obviously not human.
Important: These brute force attacks, while potentially damaging if unauthorized access is gained, are also damaging without actually getting in. This is because the volume actions require your servers to complete certain tasks and they have a limited capacity. Brute force password attempts and DDoS attacks can use your entire server capacity and render your website or application useless to everyday members trying to carry out lawful actions.
Use threshold governors mean that individual users can only submit a certain number of requests per action. Set the timing to a level that’s impossible for a human to carry out that quickly and you’ll eliminate what the bots can do.
Password Lockout
Most people have experienced this one personally, like perhaps when your ‘friend’ decides to lock you out of your iPhone by purposely entering invalid passwords until you’re locked out for 15 minutes.
Password lockouts are a fantastic way to limit unauthorized access by another person, like for instance on a stolen device, as opposed to automated software attempting a brute force attack.
Here are a few suggestions when setting your lockout procedures:
- One failed attempt: At least 5 seconds
- Two failed attempts: At least 15 seconds
- Three failed attempts: At least 45 seconds
The trick with password lockouts is that they must be set reasonably to avoid user frustration.
Forbidding Singular Dictionary Words
At this point in the blog post, we really hope you already know this one, but it’s important to be clear. The sophistication level of password hacking makes it too easy to guess dictionary words—do not allow your members to use “chocolate” or similar.
Encourage and require more complex passwords such as “eat.Chocolate.for.breakfa$t.”
We’ve covered a lot of ground in this blog post! We hope the information helps you shape secure password behavior at your association. If you’d like some more structure for how to roll out changes to poor password behavior, we highly recommend reading our free ebook Overhauling Password Behavior at Your Association.
Have a question or comment about this blog post? Sound off in the comments below!