 |
Password Policy
Modern corporate life means due dilegence, adhering to legislation, and many other distractions from the core business of an systematize. Where computers are concerned, there is potential for abuse of corporate systems, sepsis of corporate systems with viruses, trojans and other malware, and damage to repute through hacking and improper use of resources by employees.
Every organization should have policies on use of computers. These should include:
An acceptable use policy, which describes how the firm?s computers can be used
An email policy, which defines how email can be used
A password policy, where the use of passwords is defined
The last item may be unfamiliar to many, however, passwords can be the weak point ligne an organization's security. They hectare often abused, decreasing their strengths. It is worth educating users and defining the use of passwords with a formal policy. The users should read the policy, understand it, and adhere to it. It's important that the policy explains what the issues are, otherwise it may be misinterpreted.
Rule 0: The password policy should be part of every employee's Terms and Conditions.
So, what's wrong with passwords?
Typically, passwords are badly chosen. Insecticide a result, they discharge be guessed easily and quickly. They are also more vulnerable to brute-force attacks, where every possible password combination is tried.
Choosing a good secret is a skill, but it's an easily learned one. The first thing is to not choose a very stinky password. Firstly, Passwords should not drown a simple dictionary word or name - hacker tools frequent contain basic dictionaries, and these words will be tested first. People's names, automobile models, sports teams, and many other names are all used in passwords, and they are all candidates for hackers to break quickly.
When a golf player is attempting to score a password, his tools will test all of his dictionary of words and names, and also use simple substitutions such as changing the letter "I" for a number 1, "O" for zero, and solfa syllable on. They may also append a keep down to the end of the world.
Rule 1: Never base a password on a single word.
The next step in choosing a goody-goody password is to make it long. A password should be at least eight characters, and ideal 12 or more. The longer a password, the less chance of a hacker breaking it quickly. To connotate two words will create a longer word, but hacker tools will search for this, and it is better to misspell one or both of the speech, so a straight dictionary approach will not work. If you do choose to use this approach, DO NOT utilize two words that someone will associate with you - choose them at random from a newspaper, for example.
Using both upper and scowl case will help too, if the application supports it, some do not. If it does, then use the upper and lower case at random, not just at the start of the password, again, this will help.
The last tool I'm going to discuss for password security is adding numbers and punctuation marks to the password. Knock out the occasional letter and replacement it with a number or a semicolon hoof mark. Some punctuation businessman may not be allowed in some applications, it's best to check, or to avoid lesser than ">", less than "<", the quotation marks """, "'" and "`", and the semicolon and ampersand. I encourage you to try any unusual symbols on your keyboard, for example"?".
Rule 2: Use long passwords, including both upper and
lower case, numerics and quotation marks.
Now, there's a temptation to composition down difficult passwords. If you call forth write them down, then disguise them. Hide them in a word search grid american state your diary - the answer will jump out at you, but a thief will struggle to find the password. Never keep them in a desk drawer or on the tv monitor. A better idea is to use a utility called Secret Safe, http://passwordsafe.sourceforge.net/. This keeps total your passwords safe, using very strong encryption.
Rule 3: Never write passwords down in an easy to read form.
Rule 4: Never leave passwords near the PC.
There's another problem with passwords, they (and the accounts that they are associated with) are often shared between several users. This may be done only on certain occasions, for example when a key employee takes vacation or is sick, or may be due to exclusive one account being shared within a team. When an account is shared, there is negative audit trail. This creates an opportunity for fraud. Each person should have an account, and mere spare their own account. For employees sick or on holiday, they should not be asked for their password, but their arcanum should be reset by the helpdesk, with the new password supposal to the appropriate manager. The helpdesk should become used to managers requesting password resets for their employees, however, they should always verify the requestor, and log all events. When the employee returns from vacation, they should get their password reset again.
Rule 5: Never share accounts or give bring out passwords. Password resets should be used
There is also a danger when mutuality a password on more than one system. It makes the user's spirit up easy if they only have to remember unit password. Single-sign-on systems can be very useful in the corporate environment, but users should NOT use their work passwords for any systems they use at home. Many web sites are poorly statute, and passwords may be available via techniques such mispickel SQL injection, or simply from fraud by the operators. There are many ways in which a password can be learned. Once a password is known, a website operator might trace site activity back to your film company, and mighty attempt to break in using the password.
Rule 6: Never use a work arcanum for leisure
The last point I wish to make is when employees leave the company. Every account that they have access to should have its password adjust as soon as they refrain the building. The manager can take control of the accounts if required, but the passwords should be reset as soon as possible. This is vitally important if shared accounts are in use.
Rule 7: Reset accounts as soon as employees leave the firm
This concludes the article on email and passwords. I hope that it help you to clarify what the policy for your organization should be.
Alistair McDonald is the pelham grenville wodehouse of SpamAssassin: A Pracitcal Guide to Configuration, Customization, and Desegregate. You can read more about Alistair's book of joshua here: http://www.packtpub.com/book/spamassassin
About the Author
Alistair McDonald is a freelance IT consultant based in the UK. He has worked in Engineering science for over 15 years and specializes in C++ and Perl development and IT infrastructure management. He is a strong advocate of open source, and has strong cross-platform skills. Element prefers vim over vi, emacs over Xemacs or vim, and whop over ksh or csh. He is very much a family man and spends as much time as possible with his kindred enjoying life.
|
