Passwords are everywhere in the IT world. Whether at your desktop, on a Web site or on the VPN, passwords are constantly getting in the way. The good news: There are steps you can take to make your passwords more manageable. The bad news: You're not going to be getting away from them anytime soon. This means that the security abuses that stem from poor password management are going to continue.
Weak passwords can easily account for 50% or more of the security weaknesses in any given organization. Here are nine common password gaffes you need to focus on to ensure that passwords are doing what they're supposed to do, and in return, aren't getting in the way of security:
- Many people focus on strong passwords at the operating system (OS) level but forget about the other critical systems that are just as easily compromised. Smartphones, wireless networks, VPNs, firewalls, databases and sensitive documents all need to have strong passwords, as well. Otherwise, any "protection" they are receiving becomes an easily-circumvented façade.
- BIOS (a.k.a. power-on) passwords for your systems are not enough. If the hard drive is not encrypted, all someone has to do is remove it and place it in another machine to get full access to your files.
- Politics often get in the way of decent passwords, exposing what would otherwise be a relatively secure network. I often see systems with no passwords at all because too many people have complained to management about IT's draconian requirements. In situations like these, both management and IT need to lighten up and do what's right for the business. Users aren't going to complain about complex passwords if their expectations are properly set, their password requirements are reasonable, and security and privacy are part of the organization's culture (i.e., "This is how we do it here, no exceptions.").
- Many users want to do what's right, but no one has ever told them how to form a strong password that's simple to remember yet practically impossible to crack. You can't blame the users, as they're going to take the path of least resistance any chance they get. Management and IT have to set them up for success and help them help themselves.
- Using the same password for every system is dangerous. Weak passwords in Windows can lead to Outlook Web Access exploitation, FTP compromise, Blackberry abuse and other security issues. Develop a system that allows for the same basic password while also including a unique identifier based on the type and criticality of the system you're accessing.
- Password requirements can't exist as vaporware: They need to be documented and that documentation needs to be consistently maintained. Even though it seems that every organization has a password policy, nine times out of 10 they are outdated and don't include all information systems within their scope.
- Two or three sentences on how passwords are to be used doesn't equate to an effective policy. Password policy documents that work are very clear in their scope and intent, as shown in this sample security policy template. Everyone is given a copy, so there's no gray area.
- It's one thing to require strong passwords, but it's quite another to confidently say that everything is secure. Confirm your systems' inaccessibility by performing in-depth vulnerability assessments on a periodic basis that check all of your key systems. Using good tools, such as QualysGuard and GFI LANguard, combined with manual ethical hacking techniques is the only way to know for sure.
- Forcing ridiculous password requirements such as 30-day change cycles can be as bad as not requiring passwords at all. These are overrated and overused, and they typically get in the way of doing business. Formulate a realistic set of requirements that everyone can live with.
Blank, default, weak or otherwise inefficient passwords are still one of the most common security problems. And in the era of cloud computing we're entering, where information security controls have to be adapted on the fly, it won't get any easier. Don't fall into these traps and let something so simple bite you and your business hard.
If you focus on doing passwords the right way -- anywhere and everywhere, not just in Windows -- you can rest assured that any security issues that do surface aren't going to be on your watch.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.