DECEMBER 2016
7
business
solutions
A
nswer this question: Do any of the employees at your
business write down or electronically record their com-
puter passwords? This is the equivalent of leaving the key
under the mat, and creates significant security risks for businesses.
Hackers are a clever bunch and will stop at nothing to get into your
network for its resources and data.
Common methods used by hackers are brute force, dictionary
attacks, and social engineering. Brute force is the most time-
consuming method, and involves a program that tries every
combination of letters, numbers, and keyboard characters to
guess your password. Dictionary attacks use custom dictionaries
filled with words and names, as well as number and letter com-
binations such as “11111” and “abc123.” Social engineering is the
most effective tactic. It refers to the practice of soliciting a password
directly from a user. For example, a hacker posing as someone
from your company’s internet service provider could call in and
get an unsuspecting employee’s password by “testing the service.”
If the hacker sounds authoritative and legitimate enough, your
whole network could be compromised.
A comprehensive password policy is your first line of defense
against these attacks. To be most valuable, such a policy should
include these elements:
Education of Employees
Employees don’t always realize the importance of creating and
safeguarding passwords. Instruct your users to never write down
passwords and leave them in work areas, and to be particularly
careful when entering passwords while strangers are nearby.
Creation of Strong Passwords
Mandate that passwords require certain combinations of letters,
numbers, non-alphanumeric characters, and case sensitivity. Your
policy could also dictate that passwords may not contain personal
data (address or date of birth), dictionary terms, organizational
terms, and user-related words (name or username). Remember
that each character added to a password increases the protection.
It should be 8 or more characters in length; 14 characters or longer
is ideal. When a new password is created, find out how strong it
is by visiting:
www.microsoft.com/protect/yourself/password/checker.mspx
Regular Changing of Passwords
Get all operating systems, client-server applications, and other
resources set to make users change their passwords on a periodic
basis such as every 30 to 90 days.
Response to Invalid Login Attempts
Using operating system software, specify the number of times an
account can attempt to authenticate before being locked out.
Enforcement Through Software
It’s not enough to simply create a policy and expect users to stick
to it consistently. Password requirements need to be enforced by
the software that employees utilize throughout a network.
Safe Storage
Plan for the unexpected, such as a sudden or unplanned transition
within your network administration staff. Consider keeping a copy
of all critical passwords in your company’s safe.
Password
Policy
is Critical
to Security
Common employee lapses
leave businesses vulnerable
Visit
networksplus.com/services/securityto learn about the multiple security solutions we offer.