GREAT
Connections
SPRING 2017
7
Password
Policy
is Critical
to Security
Common employee lapses
leave businesses vulnerable
A
nswer this question: Do any of the employees at your
business write down or electronically record their com-
puter passwords? This is the equivalent of leaving the
key under the mat and creates significant security risks for busi-
nesses. Hackers are a clever bunch and will stop at nothing to get
into your network for its resources and data.
Common methods used by hackers are brute force, dictionary
attacks and social engineering. Brute force is the most time-
consuming method and involves a program that tries every
combination of letters, numbers and keyboard characters to
guess your password. Dictionary attacks use custom dictionar-
ies filled with words and names, as well as number and letter
combinations such as “11111” and “abc123.” Social engineering
is the most effective tactic. It refers to the practice of soliciting a
password directly from a user. For example, a hacker posing as
someone from your company's Internet service provider could
call in and get an unsuspecting employee's password by “testing
the service.” If the hacker sounds authoritative and legitimate
enough, your whole network could be compromised.
A comprehensive password policy is your first line of defense
against these attacks. To be most valuable, such a policy should
include these elements:
Safe Storage
Plan for the unexpected, such as a sudden or unplanned transi-
tion within your network administration staff. Consider keeping
a copy of all critical passwords in your company’s safe.
Education of Employees
Employees don’t always realize the importance of creating and
safeguarding passwords. Instruct your users to never write down
passwords and leave them in work areas. Remind them to be partic-
ularly careful when entering passwords while strangers are nearby.
Creation of Strong Passwords
Mandate that passwords require certain combinations of letters,
numbers, non-alphanumeric characters and case sensitivity. Your
policy could also dictate that passwords may not contain personal
data (address or date of birth), dictionary terms, organizational
terms and user-related words (name or username). Each character
added to a password increases the protection; it should be at least
eight characters in length but 14 or more characters is better.
Regular Changing of Passwords
Get all operating systems, client-server applications and other
resources set to make users change their passwords on a periodic
basis such as every 30 to 90 days.
Response to Invalid Login Attempts
Using operating system software, specify the number of times an
account can attempt to authenticate before being locked out.
Enforcement Through Software
It's not enough to simply create a policy and expect users to stick
to it consistently. Password requirements need to be enforced by
the software that employees utilize throughout a network.