Good computer security includes the use of strong passwords for all your accounts. Password policies must be updated because cracking tools continue to improve and the computers used to crack passwords are more powerful.
Password cracking can take one of three approaches:
- Intelligent guessing - use of information the attacker might know about the user or organization
- Dictionary attacks - use of a list of words and passwords that have been found in other password breaches
- Automation – attempt every possible combination of characters
By far the most common attacks that we see are Dictionary attacks and Automation. To combat these most common types of password cracking, Hancock College is rolling out new password policies to make these types of attacks less effective. This is done by implementing two new policies:
- All passwords are checked against a database of known breached passwords
- Password length must be at least 12 characters long, with no additional complexity requirements like using numbers and special characters
Breached Password Checking
Starting in April 2022, all new Hancock College passwords created will be first checked against a database of passwords known to have been compromised in previous attacks. Since users often reuse passwords, attackers will use this same database to try to crack Hancock College accounts. When a password has been found in this database, the user will be instructed to choose a different password. Users can check any passwords against this database at https://haveibeenpwned.com/Passwords.
Password Length
For many years, the minimum length for passwords has been 8 characters. Current hardware and methods can crack an 8 character, complex (a mix of uppercase, lowercase, and numbers) password in a few hours. The new guidance suggests a minimum of 12 characters. The time it takes to crack a similarly complex 12 character password today is measured in hundreds of years. Hancock's new policy does not require any additional complexity, like numbers or special characters, but they are still allowed.
Password Expiration
Starting April 12, 2023, all passwords older than three years will need to be updated. Thirty days prior to expiration, a warning will begin showing for users as they log in. Users will be prompted to change their password at this time. This can be deferred until the password is more than three years old. At that point, the password will work one final time, and the user will be required to change their password.
Tips for Creating Strong Passwords
In recent years, the focus on password complexity - using a mix of lower and upper case letters, numbers, and special characters - has shifted to focusing on length. What once was considered a strong password, "Sr%[d8v", with current cracking ability is now considered weak. Also, these types of complex passwords are difficult to remember. A long password can be strong and easier to remember - "Giraffe.Banana.Pencil" or "I ate 25 strawberries" are examples of long passwords that can be memorable and, given their length, difficult to crack. Mixing in special characters and a mix of letters and numbers is still a good idea, but the only requirements are to have one upper and one lowercase letter and not use the words "Hancock", "Bulldog", "Spike" or "password".
Password Managers
Password managers are software applications that help users create and manage their passwords. They typically have a user create a master password to open the application and then safely store strong, unique passwords for each website that the user visits. The benefit of using a password manager over saving a password in a browser is that the password manager can be used across browsers and devices. There are a number of these tools available; some are free and some must be purchased.