are the cornerstone of an organizationís information security.
Comprehensive password policy understood and implemented by all
employees within an organization, may significantly enhance the level
of data protection. To make sure the password policy works well,
password audits should be performed on a periodic basis.
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A sane password policy should provide for a multi-level approach to passwords. For example, USCF Office of Research
(http://www.research.ucsf.edu/IT/ITpoliciesPp.asp) distinguishes all passwords within an organization into system-level, production system-level and user-level passwords. Employees may access accounts of their group only.
passwords should be at least eight alphanumeric characters long and
contain both upper and lower case characters. The passwords should not
be a word in any language, slang, dialect, jargon, or based on personal
information, names of family. Passwords should never be written down or
stored on-line. Ideal passwords are not only hard to guess but also
easily memorized. One way to create such password is make up a song
title, affirmation, or other phrase. For example, the phrase might be:
"This May Be One Way To Remember" and the password could be:
"TmB1w2R!" or "Tmb1W>r~".
account within an organizationís network should have different
passwords. Passwords are not to be shared with anyone, they should be
considered as sensitive, confidential information that belongs to the
Passwords should not be included in an email message, revealed
to co-workers (even while on vacation) or family members. Sometimes
employees put down hints at the format of a password (e.g., "my
family name"), which makes it easy to intercept the password.
Besides, Remember Password feature, which is available in a number of
applications (e.g., Eudora, Outlook, Netscape Messenger), should be
disabled. Employees should never put passwords down or store them in a
file on any computer system (including Palm Pilots or similar devices)
without encryption. Passwords must be changed at least once every six
months, with system-level passwords changed quarterly. The recommended
change interval is every four months.
policy should also provide for technology requirements. Applications as
well as network accounts should support authentication of individual
users, not user groups and provide for some sort of role management,
such that one user can take over the functions of another without
having to know the other's password. Besides, applications should not
store passwords in clear text or in any easily reversible form.
with an organizationís network via remote access should be controlled
using either a one-time password authentication or a public/private key
system with a strong passphrase. A public/private key system defines a
mathematical relationship between the public key that is known by all,
and the private key, that is known only by the user. The passphrase
allows the user to "unlock" the private key and gain access
to an organizationís network. A passphrase is typically composed of
multiple words. It is a longer version of a password and is, therefore,
organizationís IT security consultant should perform ongoing password
and overall security audits on the corporate network. In fact, securing
your passwords and applying all the current technical updates sometimes
turns out to be insufficient, and to make sure everything is locked
down you should perform a thorough security audit at least once a year.
An organizationís security consultant would approach the corporate
network using many of the ďhackerĒ tools and techniques. A thorough
security audit would penetrate your Internet firewall, test the
strength of your passwords, verify the physical security of your data
and backups, scan your whole network for security holes and
vulnerabilities and provide a detailed report of the findings. The goal
of a security audit is to give you recommendations and cost estimates
on what it would take to fix security issues found during the audit and
thus increase the corporate networkís security.
consultant should perform password cracking or guessing on a periodic
or random basis. Password audits are an important component of the
corporate security policy, as there
is never a way to make any password uncrackable, no matter how strong
the password restrictions are. A brute force attack will crack a
password given enough time. Security policy must ensure the time and
number of attempts is limited. Password audit performs a scan of access
controls and user accounts within an organizationís network. If a password is guessed or cracked during this scan, the user must be
required to change it.
policy and audits are a necessary component of an organizationís
overall information security strategy. If implemented correctly,
password policy helps protect sensitive information from vitrually any
type of attack.
Please, let us know what you
think about this article: