Despite the good intentions of IT departments, end-user education and advanced forms of authentication, password
protection -- or a lack thereof -- remains a vexing problem for enterprises.
Users still create easy-to-guess passwords, write passwords down, store them in plain text, or email passwords to their friends and co-workers -- even though passwords are often the first, and sometimes only, line of defense against intruders.
Many enterprises still use password-based authentication because it's simpler and cheaper than more secure systems. In addition, organizations often maintain legacy systems that support only password-based authentication. Even enterprises that have implemented more advanced forms of authentication often combine those password management methods.
It's good practice to regularly review your corporate password management policy to maintain a secure environment and protect sensitive data.
When developing a password policy, it helps to understand the methods used to gain unauthorized access to protected resources. Intruders use the following methods to crack passwords:
- Brute-force attack: An attempt to access a secure resource by trying all possible combinations of characters that can make up a password.
- Dictionary attack: An attempt to access a secure resource by systematically entering common words (which often come from a dictionary file) to determine a user's password.
- Sniffing: The process of intercepting wired or wireless network transmissions and capturing password hashes.
- Cracking solutions: Software that attempts to decrypt passwords.
- Social engineering: The process of using social skills to obtain passwords and other personal information. Intruders will often implement telephone, e-mail or Internet schemes to get users to reveal their sensitive data. Phishing is a type of social engineering.
- Spyware: A type of software that users unintentionally install on their computers. Spyware surreptitiously gathers sensitive data or records keystrokes and sends that information to the intruder.
- Shoulder surfing: The process of gathering password information or other sensitive data by watching users enter passwords or reading passwords they’ve written down.
These methods are often used in combination. For instance, intruders might use sniffing to intercept a password hash and then use cracking software to decrypt the hash. Or intruders might use social engineering to gather personal information about users, and then run a dictionary program that creates a list of words based on that data.
Strong and safe passwords
An effective password policy should prevent passwords from being guessed, cracked or compromised in any way. Part of that policy should ensure that all users create strong passwords and follow specific guidelines when using and maintaining those passwords.
There's plenty of material that explains what constitutes strong passwords and proper password maintenance. The following guidelines summarize much of that information and provide a quick checklist to reference when developing password standards:
- Keep passwords confidential. Don't write passwords down. Don't show or tell them to anyone. Don't store passwords or transmit them electronically, unless you're sure they're encrypted and safe.
- Don't include personal information. Don't use first or last names, addresses, birthdays, anniversaries, Social Security numbers, usernames, nicknames, pet names or any other type of personal information.
- Don't create passwords that can be easily guessed. Avoid using common words, including abbreviations, foreign words, common misspellings or words spelled backwards. If you're creating a passphrase, don't include common phrases, famous quotations, or words from poems or songs.
- Used mixed characters. Passwords should include lower and uppercase letters, numbers and symbols such as @, %, !, &, and ^.
- Create long passwords. The longer the password, the better. Most sources recommend passwords be at least eight characters long, often longer. (Microsoft now recommends that a strong password be at least 14 characters.) When passphrases are supported, use them. They should run at least 20 to 30 characters long.
- Change passwords regularly. Recommendations vary on how often to change passwords, but 90 days is a common standard. The policy in some organizations is to change privileged (administrative) accounts more frequently than end-user accounts.
- Don't reuse passwords. After you've used a password, forget it. And make the new password significantly different from the old one.
- Use different passwords for different accounts. Don't use the same password for more than one account.
Not surprisingly, the stronger the passwords, the more difficult they are to remember, and the more difficult they are to remember, the more likely users will write them down, forget them or be calling the support desk.
The trick is to get users to create strong passwords they can remember. One way to achieve this is to base the password on the first letters in each word of a sentence or phrase. For example, the sentence The #3 train arrives this p.m. @ platform 2A! translates to the password T#3tatp.m.@p2A!. Notice that the password includes upper- and lowercase letters, numbers, and symbols.
An effective security strategy should include a documented password policy, and requirements for strong passwords should be part of that policy. However, the policy should also address other issues critical to enterprise password management:
- Educating users: All users should be educated in password-related issues -- including details about how passwords can be cracked, what constitutes a strong password, ways to craft those passwords and how to safeguard passwords.
- Enforcing standards: Password policies should be enforced systemically, that is, through security policies and other network and operating system mechanisms that prevent users from creating weak passwords or mismanaging their passwords. For instance, passwords should be set to expire at preset intervals, password histories should be retained to prevent passwords from being reused, and new users should be required to change their passwords upon first login.
- Detecting intruders: Set controls to manage the number of times a bad password can be inputted before an account is locked out.
- Auditing passwords: Passwords should be periodically audited to ensure compliance. Such auditing should be done without providing visibility to the passwords themselves.
- Storing and transmitting passwords: Passwords should always be encrypted whenever being stored or transmitted.
- Managing privileged passwords: Privileged passwords -- those used to access administrative accounts, let computers access one another or run service programs -- should be stored centrally on a system that supports a secure access and change process.
- Implementing password management: Password management solutions can help mitigate the problems associated with compromised passwords. Such a system might be a centralized technology (such as single sign-on or password synchronization) or one that lets users store usernames, passwords and other sensitive information locally. If your organization implements one of these methods, your password policies should incorporate the technology's operation and use.
Clearly, the factors that contribute to an effective password policy go beyond simply making sure that users create strong passwords. The goal must be to grant all authorized users access to protected data, while preventing unauthorized users from gaining such access.
To that end, you should create a policy that takes into account all issues related to managing passwords. The points above provide a starting point, but your policy must be specific to your enterprise. In other words, your password policy should reflect every step necessary to reduce the risks of compromise to any of your organization's systems.
ABOUT THE AUTHOR:
Robert Sheldon is a technical consultant and freelance technology writer. He has authored numerous books, articles and training material related to Microsoft Windows, relational database management systems, and business intelligence design and implementation. You can find more information at http://rhsheldon.com.