Dependence on computers and the Internet has been a part of everyday business for over a decade, yet many are still uninformed when it comes to password basics. Computer passwords, in my opinion, are one of the most boring, yet important, topics administrators need to keep in mind. I'm not referring to the typical rules and suggestions the auditors insist upon, but rather a few reasonable guidelines for practicing and understanding proper password management.
Here are four recommendations that can help resolve password dilemmas:
1. Determine what makes a good password
A good password doesn't have to be something like "$*P_l;2@09" that is changed every 30 days and not reused for three consecutive years. Contrary to popular belief, long, yet simple, passphrases such as "Summer_in_the_South!" or "ATLBraves~2009!" can be very effective. Passphrases such as these can stand up against password crackers, including tools like Ophcrack that use rainbow tables for fast cracking of longer than average passwords. These phrases are certainly not going to be easy for someone else to randomly guess and, most importantly, they're going to be remembered. Also, unless a passphrase is suspected to have been compromised, requiring users to change it once every six or 12 months is plenty.
If you think it would fit into the company culture and technical environment, it's good for your users to have a slightly different passphrase for each type of system or platform. For instance, you could use "ATLBraves~2009!_winXP" for Windows and email and "web_ATLBraves~2009!" for Web-based systems. This might appear to be an issue if the similar part is uncovered, but that shouldn't happen if you've chosen a good password.
2. Make sure users know the rules
A lot of users say they aren't aware of any password policies, nor have they been taught how to construct a passphrase that's easy to remember. Those who do recall the rules usually have negative comments, such as how their passwords have to be random gobbledygook and how much of a pain it is to change them every 30 days. These user complaints falls on management for not giving IT, security and compliance staff enough resources to get the word out effectively.
3. Enforce the rules
Here's where many written password policies fail. They look good on paper, but they're not being enforced via Windows Group Policy or other technologies across the network. Both complexity requirements and change frequency can be enforced in most modern technologies, but that does little good if management is not on your side.
Also, policies are often inconsistent from platform to platform, such as from Windows to the Web, which leads to confusion and lack of password effectiveness. Make sure to take your databases, routers, switches, wireless APs, smartphones, etc. into account, as well. It may not be realistic to try and incorporate the same password standards on every system in your enterprise, but you can come close. If you end up with exceptions, let your users know about them and work with your developers and/or vendors to fix the gaps.
4. Do not rely on passwords alone
The layered approach to security, that is constantly preached, does have some merit. If one layer of security, such as a password, fails, then the next layer should kick in and prevent, or at least facilitate a response to, a breach. Think about the ways you can ensure that your systems don't rely on passwords alone. They're a single point of failure that will only serve to let you down.
There is also a collection of other, older myths and misconceptions about passwords that still apply to us today.
In the world of security, very little is more frustrating than seeing an otherwise well-managed network, with new technologies and presumed compliance with laws and regulations, get compromised because a critical system had a weak password.
Passwords are the first, and sometimes only, line of defense in protecting critical business systems from abuse. Make sure that you step back and think about how passwords are used, or misused, inside your organization. You'll likely see that password standards haven't been set, policies are not being enforced and management buy-in is the biggest obstacle in your way. It's your job to try and figure out how to resolve these issues once and for all.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.
This was first published in July 2009