Huge Hangover Article Page
Back To Snippet
Back To SITEMAP
Implementing a Secure Password Policy
Implementing a Secure Password Policy
By Stephen Bucaro
I don't need to tell you the importance of good network security - but I will. If your network is compromised, competitors could obtain information about where your company gets their resources, steal your company's research, learn your company's marketing plans, and other sensitive information that could destroy your company's competitive advantage. The loss of competitive advantage could require your company to reduce its labor force - in other words you could lose your job.
If your company's network is compromised, identity thefts could use your company's customers credit card numbers and social security numbers to steal their identities and destroy their lives. And it's not only your company's customers who are going to suffer. When the source of the security breach is traced to your company, the result will be a negligence lawsuit. And after you get a reputation for being incompetent in the area of network security, try to get a network administrator job at another company.
Having a secure password policy is the front line of network security. What good is a firewall and ant-virus protection if hackers can easily log on and have their way with your network? A secure password policy requires the following steps:
- Require users to create secure passwords - Configure your system for password security - Disable default administrator accounts - Create a Written password security policy - Continuously communicate the password policy
How a Password Cracking Program Works
Hackers trying to break into your company's network will use a "password cracking" program. The program runs continuously on one or more computers. At predefined intervals it attempts to logon to your company's network using the next username and password in sequence in its dictionary. After a predefined number of failed attempts, it will wait for a predefined interval before making another attempt.
A password cracking program is not so aggressive that its activities are easily detectable. You'll never know about the hacker's activities unless you carefully analyze your server logs. A hacker will continue to run the password cracking program for years. They have lots of patience because, after all, they are just sitting watching TV while the password cracking program trys to break into your company's network. And when it finally breaks into your system, the hacker can sell your company's customers personal information for hundreds of thousands of dollars.
Require Users to Create Secure Passwords
Your job, as network administrator, is to force users to create passwords that are very time consuming for the password cracking program to discover. In order to do this, users must create passwords that are not at the beginning of the password cracking program's dictionary. If one of your users thinks it's cute to use the name of their pet as a password, I can assure you that the word "scooter" is very close to the beginning of the cracker's dictionary. Your networks security might not last the week.
Require you users to create passwords that comply with the following rules:
- Don't use a persons name, pets name, street name, or name of an activity, event, place or thing - Don't use any word that would be in the dictionary - Make the password long, the longer the better (some systems have a maximum password length) - Use a combination of letters and numbers - Use special characters, like underscore or exclamation mark (if your system allows special characters) Use a combination of uppercase and lowercase letters (if your system's passwords are case sensitive).
Configure Your System for Password Security
A hacker's password cracking program can be thwarted by the following system configurations:
- Lock out a user's account after a certain number of failed logon attempts. Sure, a user might arrive in the morning with a hangover and screw up their password two or three times, but more failed attempts than that is probably the result of a hacker. Configure the system to lock out a users account after an unreasonable number of failed logon attempts.
- Configure the time interval of the failed logon attempts lock out. If users understand that after they mistype up their password x number of times, they need to wait 30 minutes before making another logon attempt, they shouldn't be too annoyed. The longer the time interval of failed logon attempts lock out, the more it thwarts hackers. Unfortunately, long lock out periods can occasionally be a problem for a legitimate user.
- Configure Your System to expire passwords periodically. Imagine a password cracking program that has attempted millions of passwords from its dictionary and is getting closer every day to the actual password - and then the password changes. The more frequently passwords change, the more secure the system is. Configure Your System to expire passwords every 60 days or more frequently.
Disable Default Administrator Accounts
Upon installation, many operating systems and software applications have default accounts. Everybody knows the default administrator user name for a Windows server is "Administrator". Everybody knows the default administrator user name for SQL server is "sa" and that, by default this user name requires no password. Perform an audit of the all software and hardware (routers, switches, etc.) on your network to make sure they are not using a default account.
Create a Written Password Security Policy
Put your password security policy in writing. In addition to the items already discussed in this article, put the following rules in your written security policy:
- Don't reveal your password to ANYONE - not a fellow employee (who may quit or get fired and then use your password) - not a service technician (A hacker might call pretending to be a technical support person who needs a password to troubleshoot a problem). If a legitimate technical support person needs your password, change your password immediately afterward. Many security breaches occur when a user purposely reveals their password.
- Don't let anyone look over your shoulder while you log on, and in return don't look over anyone else's shoulder while they log on.
- Don't leave your computer unattended while logged on. Log off, go for coffee, log on.
- Don't leave paper or digital media containing sensitive data laying around. You can't be sure that outside visitors won't enter your area. You can't be sure that a fellow employee isn't out to cause damage to your company.
- Don't discard paper or digital media in public waste containers. "Dumpster diving" is a common way for thefts to acquire sensitive information.
Continuously Communicate the Password Policy
many users hate password policies. They prefer to create a password that is cute and memorable, and never change it. They prefer to be friendly and cooperative with fellow employees and outsiders and share their passwords. They don't understand the value of the company's information and don't like to take the time to be vigilant about not leaving it laying around, or disposing of it properly.
As network administrator, it's your responsibility to continuously communicate and promote the password security policy. Use the company newsletter and meetings to reiterate the password security policy. Also communicate WHY the password security policy is necessary. WHY do employees need to comply with the company's password policy? What will be the inevitable result of failure to comply with the policy? Employees will demonstrate much better conformance to any rules if they understand WHY the rules are necessary.
---------------------------------------------------------- Resource Box: Copyright(C)2005 Bucaro TecHelp. FREE ebooks, software, graphics, certification self tests, Java Script and CSS cut-and-paste code. Learn PC Anatomy, find FREE diagnostic Tools and technical assistance. Learn how to start your own online business and much more! You never know what you'll find at bucarotechelp.com ----------------------------------------------------------
About the Author