Even in today’s high tech day and age, one of the most common ways hackers gain access is through plain old password guessing. They could use techniques as simple as trying to figure out what password you’d use, or something as complex as a brute force attack that tries every conceivable password.
Fortunately, with a few well thought out password policies, you’ll make this type of attack virtually impossible on your system. These policies are recommended by the Federal Information Processing Standard. Follow these policies on your system and your password security will be more than enough to prevent most break-ins.
==> Account Lockouts and Delays
There should be an account lockout threshold. That means that after trying to log in X times, the account should shut down and be inaccessible. The user then has to call in by phone, wait a few days or answer a set of security questions before being allowed to try again.
Also, there should be a delay between password attempts. An automated attacker can easily try a dozen passwords within one second. Just a ten-second delay between password attempts makes no difference to real people, but completely disables most automated attacks.
==> Username and Passwords Cannot Match
If your username is velvetrose, the password can’t also be velvetrose. This combination is used far too often for it to be secure.
==> Password Cannot Be a Dictionary Word
The most common form of password guessing comes in the form of dictionary attacks. Literally, the hacker loads up a dictionary and uses a program to try every word in the dictionary as your password.
Set your system to not allow any word that’s a dictionary word as a password.
==> Minimum Length and Maximum Consecutive Characters
The minimum length of a password should be 6 characters. Ideally, it should be 8. However, the higher this minimum, the higher your chances of annoying your users, as they’ll often have a hard time thinking up longer passwords.
Set a maximum number of consecutive characters. The recommended minimum is 3. So a password of “aaaa0000” shouldn’t be allowed.
==> At Least One Number, One Letter
A password shouldn’t be all numbers or all letters. There should be a mix of both for maximum security.
==> Password Life and Password Reuse
The life of a password shouldn’t last more than 180 days, or half a year. Users should be asked to pick a new password after the life of the old password.
This prevents hackers from getting passwords from elsewhere on the internet and using it to hack their accounts on your site. It also prevents hackers from harvesting a large amount of passwords, only to do something en mass later.
Users shouldn’t be allowed to use passwords they’ve already used in the past for the same reason.
If you follow these policies, accounts on your site will be very difficult to break into. Brute force and dictionary attacks will have a very hard time cracking passwords.