Hardening user passwords checklist

Roberta Bragg offers her password hardening best practices in this introductory checklist.

I'm tired of hearing that passwords are weak and we should never use them.

Critics say we should all be using smart cards, tokens or biometrics. Phooey!

Using something other than passwords may offer you additional security -- then again it may not. Improperly configured, or worse, improperly designed authentication products may be no better than passwords, while strong passwords coupled with hardened systems and knowledgeable users can provide a solid defense. Before you spend a fortune replacing passwords with the latest gizmo, use the following checklist to make your password defenses more secure.

You may download a printer-friendly version.

1. Educate users first.

I'd be willing to bet that the number one reason passwords fail is because users don't have a clue. It's not their fault. It's up to us, the experts, to teach people about the importance of strong passwords and show them how to create them. If we rely on security policy and technical controls to enforce our desired result, we're going to fail. We need the combined strength of everyone, backed up by technology to reach the goal.

2. Teach users why they need strong passwords.

Have a meeting in which you ask users to create a good password. Feed the results into a password cracker and let the fun begin. Seeing a password cracked in seconds works much better than a boring lecture. Be sure to add a few good ones for contrast, and if some passwords don't get cracked, perhaps a prize is in order.

3. Demonstrate how to create bulletproof passwords.

Here are some tried-and-true techniques:

  • Compose every password of a mixture of upper and lowercase letters, numbers and special characters.
  • Numbers and special characters should always be within the password, not at the end.
  • Don't use a name, dictionary word, user id or popular catch phrase. (Using GoChiefs! As a password in Kansas City is not a good idea. Using company sayings isn't either.)
  • Do use a passphrase if you want. They are easier to remember, but use one that has meaning, not one someone you know might guess.
  • Use at least eight characters. Use more if you can, if your policy requires it or if your job involves sensitive information.
  • If users have standalone Windows XP computers, teach them to create and maintain a password-reset disk. A password reset disk can be used should users have a problem with their passwords.

4. Be the Emily Post of proper passwords.

Examples of poor password etiquette:

  • Putting a password on a sticky note and attaching it to the monitor or placing it under the keyboard.
  • Sharing passwords with fellow workers.
  • Giving out a password if someone calls and says they are from IT or security, or any one.

Examples of good password etiquette:

  • Calling security if someone attempts to gain a password or users notice anything funny about their logon.
  • Using unique passwords for each account, including personal accounts with banks and other Web sites.

5. Do not store miscellaneous passwords on hard drives.

Users with Internet-access rights will want to access personal sites and may have to register to obtain information. Local applications may also require passwords. Users may have the opportunity to store these passwords on the hard drive. This is not a good practice. These passwords may not be stored as securely as the logon password, and may be accessible to an attacker. This is especially dangerous if users forget and reuse passwords for multiple sites and applications, and/or use their Windows password. Users should not be subscribing to Web sites that are not visited for business purposes. When business applications require passwords, Instead of storing passwords on the hard drive users will have to enter them each time they want to use the application.

6. Create and honor a strong password policy.

A strong organizational security policy will include a strong password policy. While management must approve the written password policy, the IT department must fulfill this policy as closely as possible using the technical controls available in Windows. For standalone machines, the password policy is part of the local security policy. In a domain, the default domain policy is used to establish a password policy for all domain users. If the password policy choices available in Windows cannot entirely fulfill the required written security policy, then non-technical controls, such as user training and enforcement (define and meet punishment for noncompliance) must be used.

7. Make administrators and sensitive account users have stronger than normal passwords.

Just because the generic password policy for all users is set at one level and partially enforced by technical controls, you should still have another, stronger password policy for administrators and others with sensitive accounts. While only one password policy per domain can be technically enforced, you can require some users to have stronger passwords. You'll have to give them further training, requiring longer passwords and other techniques. You may have to audit them by using a cracking/audit tool, but it will be worth it.

8. Enforce the organization's password policy.

If your password policy does not exceed the technical controls Windows offers, setting those controls for enforcement will suffice. However, no password policy should be without requirements, including failure to post passwords on monitors, not sharing passwords and so on. In addition, there are technical controls you may want that cannot be done in the Windows password policy, such as requiring number placement in the middle of passwords.

Use the following strategies to enforce password policies:

  • First, purchase and use a password auditing tool. These tools can be used to provide information on how long it may take to crack a password -- even weak passwords. While you may not be able to tell if numbers are placed in the middle of a password, you can tell if a password is easily cracked and not in policy.
  • Second, do periodic site searches looking for passwords that are written down.
  • Third, include a punishment for non-compliance in your security policy. If there is a violation, there should be consequences.

Roberta Bragg is author of Hardening Windows systems and our resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

Dig Deeper on User passwords and network permissions