GREAT

Connections

SPRING 2017

7

Password

Policy

is Critical

to Security

Common employee lapses

leave businesses vulnerable

A

nswer this question: Do any of the employees at your

business write down or electronically record their com-

puter passwords? This is the equivalent of leaving the

key under the mat and creates significant security risks for busi-

nesses. Hackers are a clever bunch and will stop at nothing to get

into your network for its resources and data.

Common methods used by hackers are brute force, dictionary

attacks and social engineering. Brute force is the most time-

consuming method and involves a program that tries every

combination of letters, numbers and keyboard characters to

guess your password. Dictionary attacks use custom dictionar-

ies filled with words and names, as well as number and letter

combinations such as “11111” and “abc123.” Social engineering

is the most effective tactic. It refers to the practice of soliciting a

password directly from a user. For example, a hacker posing as

someone from your company's Internet service provider could

call in and get an unsuspecting employee's password by “testing

the service.” If the hacker sounds authoritative and legitimate

enough, your whole network could be compromised.

A comprehensive password policy is your first line of defense

against these attacks. To be most valuable, such a policy should

include these elements:

Safe Storage

Plan for the unexpected, such as a sudden or unplanned transi-

tion within your network administration staff. Consider keeping

a copy of all critical passwords in your company’s safe.

Education of Employees

Employees don’t always realize the importance of creating and

safeguarding passwords. Instruct your users to never write down

passwords and leave them in work areas. Remind them to be partic-

ularly careful when entering passwords while strangers are nearby.

Creation of Strong Passwords

Mandate that passwords require certain combinations of letters,

numbers, non-alphanumeric characters and case sensitivity. Your

policy could also dictate that passwords may not contain personal

data (address or date of birth), dictionary terms, organizational

terms and user-related words (name or username). Each character

added to a password increases the protection; it should be at least

eight characters in length but 14 or more characters is better.

Regular Changing of Passwords

Get all operating systems, client-server applications and other

resources set to make users change their passwords on a periodic

basis such as every 30 to 90 days.

Response to Invalid Login Attempts

Using operating system software, specify the number of times an

account can attempt to authenticate before being locked out.

Enforcement Through Software

It's not enough to simply create a policy and expect users to stick

to it consistently. Password requirements need to be enforced by

the software that employees utilize throughout a network.