Nine common password oversights to avoid

Weak passwords can easily account for 50% or more of the security weaknesses in any given organization. Here are nine common password gaffes you need to focus on to ensure that passwords are doing what they're supposed to do, and in return, aren't getting in the way of security:

1. Many people focus on strong passwords at the operating system (OS) level but forget about the other critical systems that are just as easily compromised. Smartphones, wireless networks, VPNs, firewalls, databases and sensitive documents all need to have strong passwords, as well. Otherwise, any "protection" they are receiving becomes an easily-circumvented façade.
2. BIOS (a.k.a. power-on) passwords for your systems are not enough. If the hard drive is not encrypted, all someone has to do is remove it and place it in another machine to get full access to your files.
3. Politics often get in the way of decent passwords, exposing what would otherwise be a relatively secure network. I often see systems with no passwords at all because too many people have complained to management about IT's draconian requirements. In situations like these, both management and IT need to lighten up and do what's right for the business. Users aren't going to complain about complex passwords if their expectations are properly set, their password requirements are reasonable and security and privacy and made part of the organization's culture (i.e. "This is how we do it here, no exceptions.").
4. Many users want to do what's right, but no one has ever told them how to form a strong password that's simple to remember yet practically impossible to crack. You can't blame the users, as they're going to take the path of least resistance any chance they get. Management and IT have to set them up for success and help them help themselves.
5. Using the same password for every system is dangerous. Weak passwords in Windows can lead to Outlook Web Access exploitation, FTP compromise, Blackberry abuse and other security issues. Develop a system that allows for the same basic password while also including a unique identifier based on the type and criticality of the system you're accessing.
6. Password requirements can't exist as vaporware: They need to be documented and that documentation needs to be consistently maintained. Even though it seems that every organization has a password policy, nine times out of 10 they are outdated and don't include all information systems within their scope.
7. Two or three sentences on how passwords are to be used doesn't equate to an effective policy. Password policy documents that work are very clear in their scope and intent, as shown in this sample security policy template. Everyone is given a copy, so there's no gray area.
8. It's one thing to require strong passwords, but it's quite another to confidently say that everything is secure. Confirm your systems' inaccessibility by performing in-depth vulnerability assessments on a periodic basis that check all of your key systems. Using good tools, such as QualysGuard and GFI LANguard, combined with manual ethical hacking techniques is the only way to know for sure.
9. Forcing ridiculous password requirements such as 30-day change cycles can be as bad as not requiring passwords at all. These are overrated and overused, and they typically get in the way of doing business. Formulate a realistic set of requirements that everyone can live with.

Blank, default, weak or otherwise inefficient passwords are still one of the most common security problems. And in the era of cloud computing we're entering, where information security controls have to be adapted on the fly, it won't get any easier. Don't fall into these traps and let something so simple bite you and your business hard.

If you focus on doing passwords the right way -- anywhere and everywhere, not just in Windows -- you can rest assured that any security issues that do surface aren't going to be on your watch.

ABOUT THE AUTHOR:

Kevin Beaver Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT User passwords and network permissions Eight is too many characters for strong passwords Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords Unauthenticated vs. authenticated security testing Windows desktop security tips Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.