What Your Password Policy Should Be And Why?

What Your Password Policy Should Be And Why?

“Always Use Password which Is Hard-to-Guess And Easy-to-Remember”


Undoubtedly, a strong password policy is of utmost importance to safeguard our financial transactions, personal communications as well as private information stored online. For end-users, using a strong password is their bodyguard that defends them from various serious security threats, scammers, and hackers. Having a strong password policy at the workplace is so important like it is important at home. That’s when the system administrator plays its role to makes sure that proper rules and policies are in place to help you to reduce that burden.

We have arranged a webinar with Roger A. Grimes to discuss the password policy. Roger is a 33-year computer security veteran and author of 13 books and over 1100 magazine articles on computer security.

Password policies mean a set of rules which were made to raise computer security by inspiring users to create reliable, secure passwords and then store and utilize them appropriately.

Mostly, all the users know well the nature of security risks related to easy-to-guess passwords, but become irritated when dealing with unfamiliar criteria or trying to remember almost 19 different passwords for their multiple accounts. That is why computer engineer’s come in and play an important role in making sure that all the users are must know about the security risks they face every day. To gain this, everyone needs strong password policies and best practices.

But, what should be included in the password policy, and how to get benefits from the password policy? Are these questions daunting to you? No worries, this blog is all about how should be your password policy and why you should use password policy.

Let’s dig in!

First Thing First, What Are The Problems Of Passwords

     ‘The average person has to logon to 170+ websites and only has 3 to 19 Password’

  • Easy To Hack

Your passwords can easily be hacked by hackers who are diligent enough and are using more powerful hardware. They will always be able to figure out your credentials.

  • Easy To Forget

Usually, people constantly forget their online passwords, including the new one immediately after reset because it is complex enough to remember.

  • Hard To Forget

Many times people have to change their passwords frequently which becomes hard to forget the old passwords and remember the new ones.

  • Easy to Share/Reuse

Passwords are very easy to share and reuse on different websites which are really bad as this will make your password hacked easily.


Types Of Password Attacks

  • Physical Attacks

A physical attack is a type of attack in which you are asked to type your password either while surfing any app or browser on your laptop or phone and the pop-up comes and asked you to type your password to enter the app or site. It asked you what your password is.

  • Social Engineering

Social engineering implies intellectual administration to force users into making security mistakes or giving away important data. For example, when you share your password through mail or any social media platform, that password will store in their data. Unauthorized password resetting or bypass is also a way of password attacks.

  • Guessing

Password guessing is an online method that entails trying to authenticate a specific user to the system. A popular type of password guessing is the Brute Force attack. it inheres of trying every possible code, combination, or password until you find the correct one. It asked your interests, hobbies, etc. to guess your password.

  • Stealing

It is the most common type of password attack today, it steals your password through the desktop in the form of malware. An attacker impersonates malware as authorized software or a harmless link, possibly through a misleading email, a falsified website, or a fake advertisement. The downloaded malware then provides the hacker access to your password data, as well as other data stored on your desktop, or browser.

  • Lookups

Lookup is the fastest and the opposite way of brute-force attack. It tries all possible passwords to see if they produce the right hash and get a password based on a hash.

  • Account Takeover (ATO) Recoveries

A strategy of online identity theft in which a cybercriminal illegally obtains unauthorized access to an account of the other person is called an Account takeover (ATO) recovery password attack. The person’s account will be of value to the attacker because it may hold funds or access to products, services, or other data which is valuable of some kind.

  • Hash Cracking

The way of converting passwords into not readable strings of characters that are built to be impossible to convert back, known as hashes. Some hashing schemes are more likely cracked than others. As soon as you enter your password on a site, it usually executes the same hash once more and checks the outcomes against the hash it generated of your password when you pick it, verifying the validity of the password without having to store the sensitive password itself.

It allows password crackers to exploit those chips’ ability to perform many simple tasks in parallel, accelerating their guessing as much as a thousandfold, switching from normal computer processors or CPUs to graphics processors or GPUs.

“Rainbow Tables” have been developed by the so-called Hash-crackers, immense lists of pre-computed hashes for every possible password. The latest password attackers don’t only guess passwords at random but use “dictionary attacks” to rotate through actual words, collections of known common passwords from past breaches.


How Fast Can Password Hashes Be Cracked?

  • At least 121 billion NT password tries/second on a single GPU rig
  • At least 350 billion password tries/second – a world record
  • Any 8-character NT hash password can be cracked in under 2 hours on a “rig” or 12-minutes using $25 of cloud processing power
  • 10-character SHA256 hash was cracked in 5 days (hashcat (@hashcat) / Twitter)


“You need 16-character NT passwords before you get any cracking “safety” and that’s just for now. May already be “broken” by a nation-state.”

Want to See if Your Password Has Been Stolen? Check here – https://haveibeenpwned.com

From the various types of password attacks, Social Engineering, Stealing, Lookups, Account Takeover (ATO) Recoveries are the vast majority attacks as they don’t care about the “Strong” passwords. Whereas Guessing and Hash Cracking are impacted by the “Strong” passwords.


Password Guessing Defense

You can defend your password guessing with the help of Multi-factor Authentication (MFA). It increases security with third parties and organizations. MFA allows to change any default passwords immediately, use strong passwords, enable Account Lockout policies, enable failed login monitoring/alerting, secure and monitor APIs. It takes away the passwords risks and threats.


Password Policy Advice

  • Use MFA

You should use Multi-factor Authentication (MFA) as it is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. MFA is a core component of a strong identity and access management (IAM) policy. We at Sennovate and our partners like Gluu, Okta, ForgeRock offer seamless MFA capabilities.

  • Use Unique Passwords

You should use unique passwords that are long, complex, and different for all the websites and services. You must not re-use the old passwords as well as must not use easily guessable passwords.

  • Use A Password Manager

The password manager is a solution that alerts users to reused, compromised, or vulnerable passwords, as well as any passwords that don’t yet have multi-factor authentication enabled. You should create long, complex, different, and random passwords for all the sites.

  • Create Your Own Better Passwords

You must create your different password that must be at least 8 characters long with complexity. For even better security, you could set the minimum password length to 14 characters. To reduce the risks of password hash cracking and guessing, you should create a password with 16 characters. As long passwords are harder to crack than short ones.


Summing Up

To remain safe from password attacks and to safeguard your data and financial information, you must have to follow the best password policy which is mentioned above.

Having any doubts or want to have a call with us to know more about the password policy? Get in touch with us soon by clicking here, Sennovate’s Experts will explain everything on call in detail. You can also mail us at [email protected] or call us on (925) 918-6618.


Watch our full webinar with Roger Grimes ,where we dive deep into passwords,What your Password Policy should Be and Why?



Having any doubts or want to have a call with us to know more about passwords ?

Contact us right now by clicking here, Sennovate’s Experts will explain everything

on call in detail.

You can also write a mail to us at [email protected] or call us on +1 (925) 918-6618.



About Sennovate

Sennovate delivers custom identity and access management solutions to businesses around the world. With global partners and a library of 1000+ integrations, we implement world-class cybersecurity solutions that save your company time and money. We offer a seamless experience with integration across all cloud applications, and a single price for product, implementation, and support. Have questions? The consultation is always free. Email [email protected] or call us at: +1 (925) 918-6618.