Managing multiple passwords in Windows

Think about all the potential passwords your average user has to remember for these various systems:

• Windows
• Outlook
• VPN connection
• Webmail
• Intranet sites
• Personal websites, such as Hotmail, Yahoo and Facebook
• Business websites, such as Salesforce.com, business association sites and banking sites
• Smartphones
• BIOS/power-on
• Hard drive encryption

There are enough of them to make even a technical person's head spin. Keeping up with the bevy of computer and application passwords is a real problem that could create business risks for your environment.

1. Standardize what's acceptable and what's not for all password types I listed above. One weak password for a seemingly less important system can end up jeopardizing your entire network. Also, ensure that any enacted policies actually work across most of the systems your users interact with. Furthermore, make sure that they support the use of strong passwords and passphrases, unlike some ridiculous password requirements I've come across.
2. Don't make your users change their passwords every 30 days – or 90 days for that matter. If a password is created in such a way that it's easy to remember, yet next to impossible to crack, then you can go a lot longer between password changes. The only reason for making people frequently change their passwords is if a specific regulation or contractual obligation mandates such changes or if there is suspicion of a compromised password.
3. Don't rely on passwords alone. Ensure additional compensating controls are in place, such as encrypted hard drives, data leakage prevention and log monitoring.
4. Show users how they can save their passwords in their Web browsers, especially in the secure ways that IE, Firefox and third-party tools such as
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchEnterpriseDesktop.com

   As an existing member of the TechTarget network please activate your SearchEnterpriseDesktop.com account 

   By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT User passwords and network permissions Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords Unauthenticated vs. authenticated security testing Windows desktop security tips Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   target="_blank">Roboform offer. This isn't the most popular option, but I am a strong believer in balancing security with convenience and usability.

5. Encourage users to have a base password for everything, which is differentiated based on the type of system they're logging into. For example:
   • P@ssword09_Winsys for Windows-based systems
   • P@ssword09_4theweb for Web-based systems

   This will encourage strong password usage, along with making the passwords easier to remember. I believe this is much better and safer than using the same password for multiple systems. Tell your users the dangers of mixing personal and business passwords, and encourage them to keep them separate.

As with many things related to security, education is key. Assemble and distribute all the proper documentation on procedures and technical controls to manage security. Keep your users informed and never let your guard down. For security to work effectively, it must be on top of everyone's mind.

The alternative is to have draconian controls that only serve to get in the way of doing business. Those don't stand a chance of improving security, much less long-term survival. Leverage technical controls where you can, and teach people the dos and don'ts of passwords. A smart user equipped with some sharp password-keeping skills is arguably the best first and last line of defense you can have.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. He has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and a blog about security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.