Passwords can be the bane of information security, and you've undoubtedly got dozens of them to keep up with. This may not be a problem for you specifically, but what about your users? Lying in the hands of every single individual on your network are the keys to your kingdom. One password misstep on the part of one user virtually guarantees that one of your Windows systems – and likely many more – will be exposed to the elements.
Think about all the potential passwords your average user has to remember for these various systems:
- VPN connection
- Intranet sites
- Personal websites, such as Hotmail, Yahoo and Facebook
- Business websites, such as Salesforce.com, business association sites and banking sites
- Hard drive encryption
There are enough of them to make even a technical person's head spin. Keeping up with the bevy of computer and application passwords is a real problem that could create business risks for your environment.
How can you minimize unnecessary password-related exposure on your Windows network? Single sign-on (SSO) may come to mind, but as I've written previously, SSO is not necessarily the answer to managing multiple logins. Dealing with multiple passwords can be as much a people issue as it is a technical issue. Here are a few tips to help fortify your systems and your users:
- Standardize what's acceptable and what's not for all password types I listed above. One weak password for a seemingly less important system can end up jeopardizing your entire network. Also, ensure that any enacted policies actually work across most of the systems your users interact with. Furthermore, make sure that they support the use of strong passwords and passphrases, unlike some ridiculous password requirements I've come across.
- Don't make your users change their passwords every 30 days – or 90 days for that matter. If a password is created in such a way that it's easy to remember, yet next to impossible to crack, then you can go a lot longer between password changes. The only reason for making people frequently change their passwords is if a specific regulation or contractual obligation mandates such changes or if there is suspicion of a compromised password.
- Don't rely on passwords alone. Ensure additional compensating controls are in place, such as encrypted hard drives, data leakage prevention and log monitoring.
- Show users how they can save their passwords in their Web browsers, especially in the secure ways that IE, Firefox and third-party tools such as Roboform offer. This isn't the most popular option, but I am a strong believer in balancing security with convenience and usability.
Encourage users to have a base password for everything, which is differentiated based on the type of system they're logging into. For example:
- P@ssword09_Winsys for Windows-based systems
- P@ssword09_4theweb for Web-based systems
This will encourage strong password usage, along with making the passwords easier to remember. I believe this is much better and safer than using the same password for multiple systems. Tell your users the dangers of mixing personal and business passwords, and encourage them to keep them separate.
As with many things related to security, education is key. Assemble and distribute all the proper documentation on procedures and technical controls to manage security. Keep your users informed and never let your guard down. For security to work effectively, it must be on top of everyone's mind.
The alternative is to have draconian controls that only serve to get in the way of doing business. Those don't stand a chance of improving security, much less long-term survival. Leverage technical controls where you can, and teach people the dos and don'ts of passwords. A smart user equipped with some sharp password-keeping skills is arguably the best first and last line of defense you can have.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.
This was first published in July 2009