Secure your Windows systems with proper password practices

Here are four recommendations that can help resolve password dilemmas:

1. Determine what makes a good password
   A good password doesn't have to be something like "$*P_l;2@09" that is changed every 30 days and not reused for three consecutive years. Contrary to popular belief, long, yet simple, passphrases such as "Summer_in_the_South!" or "ATLBraves~2009!" can be very effective. Passphrases such as these can stand up against password crackers, including tools like Ophcrack that use rainbow tables for fast cracking of longer than average passwords. These phrases are certainly not going to be easy for someone else to randomly guess and, most importantly, they're going to be remembered. Also, unless a passphrase is suspected to have been compromised, requiring users to change it once every six or 12 months is plenty.

   If you think it would fit into the company culture and technical environment, it's good for your users to have a slightly different passphrase for each type of system or platform. For instance, you could use "ATLBraves~2009!_winXP" for Windows and email and "web_ATLBraves~2009!" for Web-based systems. This might appear to be an issue if the similar part is uncovered, but that shouldn't happen if you've chosen a good password.

2. Make sure users know the rules
   A lot of users say they aren't aware of any password policies, nor have they been taught how to construct a passphrase that's easy to remember. Those who do recall the rules usually have negative comments, such as how their passwords have to be random gobbledygook and how much of a pain it is to change them every 30 days. These user complaints falls on management for not giving IT, security and compliance staff enough resources to get the word out effectively.
3. Enforce the rules
   Here's where many written password policies fail. They look good on paper, but they're not being enforced via Windows Group Policy or other technologies across the network. Both complexity requirements and change frequency can be enforced in most modern technologies, but that does little good if management is not on your side.

   Also, policies are often inconsistent from platform to platform, such as from Windows to the Web, which leads to confusion and lack of password effectiveness. Make sure to take your databases, routers, switches, wireless APs, smartphones, etc. into account, as well. It may not be realistic to try and incorporate the same password standards on ...
   

   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchEnterpriseDesktop.com

   As an existing member of the TechTarget network please activate your SearchEnterpriseDesktop.com account 

   By joining SearchEnterpriseDesktop.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT User passwords and network permissions Eight is too many characters for strong passwords Nine common password oversights to avoid Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords Unauthenticated vs. authenticated security testing Windows desktop security tips Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   every system in your enterprise, but you can come close. If you end up with exceptions, let your users know about them and work with your developers and/or vendors to fix the gaps.

4. Do not rely on passwords alone
   The layered approach to security, that is constantly preached, does have some merit. If one layer of security, such as a password, fails, then the next layer should kick in and prevent, or at least facilitate a response to, a breach. Think about the ways you can ensure that your systems don't rely on passwords alone. They're a single point of failure that will only serve to let you down.

There is also a collection of other, older myths and misconceptions about passwords that still apply to us today.

In the world of security, very little is more frustrating than seeing an otherwise well-managed network, with new technologies and presumed compliance with laws and regulations, get compromised because a critical system had a weak password.

Passwords are the first, and sometimes only, line of defense in protecting critical business systems from abuse. Make sure that you step back and think about how passwords are used, or misused, inside your organization. You'll likely see that password standards haven't been set, policies are not being enforced and management buy-in is the biggest obstacle in your way. It's your job to try and figure out how to resolve these issues once and for all.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.