A comprehensive password policy is the first line of defense in a well-rounded IT security plan. Many organizations even consider password policies to have the same security priority as disaster recovery and Internet defense, and rightfully so. This article will describe how to create a policy and initiate strong password methods. You can also download our sample policy and use it as a template for creating your own.
Password administration is necessary to combat the forces that can compromise your valuable electronic resources. The two main forces are social engineering and brute force. Social engineering occurs when someone becomes familiar enough with a person to guess likely passwords. Brute force methods attack systems with systematically generated credentials attempting to guess a valid username and password. Both of these two enemies are capable of eventually guessing a valid password and then exploiting resources and data on a corporate network.
Protecting your resources from these attacks is achievable through developing a solid password policy, diligence, and most importantly, using IT tools to enforce the policy.
Historically, policies of all types are printed, filed, and policed by internal efforts that gain subpar implementation and effectiveness. To make a password policy effective, organizational support needs to be gained from the top down to add credibility to your efforts. Management needs to realize that the IT password policy is part of the information security strategy and that enforcing it is essential. The most effective enforcement method, however, is to use technology to ensure compliance.
Your password policy needs to state exactly how it is to be implemented and administered. It must outline what systems are affected by the policy, who is responsible for the different aspects of the policy, and how to obtain support for questions or issues as they arise.
Obtaining password policy compliance requires that administrators be diligent on several fronts. Here are some examples of things you can do to keep your password policy effective:
- Run password scans and notify users when a password is too easy and needs to be changed.
- Get all operating systems, client-server applications, and other resources set to make users change their passwords on a periodic basis.
- Examine workspaces for passwords attached to keyboards or monitors.
- Train new employees properly on the password policy—and train current employees when the policy is implemented.
These tasks will add thoroughness and enhance compliance when enforcing a password policy.
Matters of practice
To illustrate the need for careful password handling, I like to refer to a situation everyone has dealt with. Think of your credit card. Then, imagine that you have forgotten your PIN and you want to make a cash advance on your account. Your bank will not disclose your PIN to you over the telephone, nor will it verify the number if you have an idea of what it is. This is because the bank realizes that a malicious user could perform some social engineering to fraudulently use the card for cash advances.
Passwords for IT resources should be handled in a similar manner, and they should be subject to several prohibitions. A password should never be:
- Written, e-mailed, or spoken.
- Shared with other people.
- Hinted at or made easy to guess.
- Used in sync with or duplicated by personal passwords or Web accounts.
- Shared when out of the office.
- Typed in and saved in electronic documents.
IT administrators can determine the complexity of the passwords that are implemented in their systems. When implemented, the factors listed below can all decrease the likelihood of password compromise. Different operating systems, applications, or other resources may have different terms and implementations for these attributes. Many of these password attributes will allow administrators to increase the complexity of a password policy to boost security, but beware of the inconveniences for users that arise as you make the policy more complex.
- Expiration frequency—Set a time frame for how long a password is valid. The more frequently passwords are changed the better, but you’ll usually want to have users change them at least every three months. Getting users familiar with the password change process will streamline this task, so user education is crucial.
- Character length—Set a minimum length for a password. Six-character passwords seem to be the minimum in a secure world, but the more, the better. A good practice is to require that administrative passwords be 10 characters or more.
- Password composition—Mandate that passwords require special combinations of letters, numbers, nonalphanumeric characters, and case sensitivity. These attributes can often be enforced by software. Your written policy can dictate that passwords may not contain personal data (address or date of birth), dictionary terms, organizational terms, and user-related words (name or username).
- Invalid login attempts—Using OS software, specify the number of times an account can attempt to authenticate before being locked out and how long that account is locked out before it can be released by an administrator.
- Password history—Specify whether a password must be unique from passwords used in the past. For example, users might be disallowed from reusing any of their previous 10 passwords.
- Timeout = Logout—Have idle sessions disconnect from network resources after a specified period of inactivity.
- Disable incremental passwords—Disallow users from using incremental passwords such as password, password2, password3, etc.
- Supporting efforts—Computer BIOS passwords, file-level passwords, and other supplemental efforts can also help solidify information security, especially on ultrasensitive systems and documents.
Enforcing your password policy by implementing its parameters on your network operating system is an important step in making passwords more effective. Many network operating systems will allow you to enable password parameters. Let’s take a brief look at enabling strong passwords in Windows 2000 and on the BSD OS family:
- Windows 2000—By default, Windows does not offer strong password functionality as a requirement for all passwords. You can enable this feature in Windows 2000 in the Group Policy. Once enabled, all new passwords and password changes will be subject to the complexity requirements. This feature of Windows 2000 is explained online on Microsoft Knowledge Base Article Q225230. The complexity requirements are spelled out in this MSDN article.
- BSD OS—In BSD-based UNIX operating systems, you can implement security options for users quite easily. For example, the /etc/login.conf file will allow you to specify a minimum password length (minpasswordlen) and the option to require a mixed-case password (mixpasswordcase) as authentication properties. Read more about how to modify the /etc/login.conf file here.
Whatever NOS you are using, some research about your systems should allow you to make use of their password features. Some systems may not have all of the password capabilities you’d like, but being aware of their abilities is a step in the right direction. Whatever parameters you are lacking will need to be spelled out in your password policy in terms of how they will be implemented and enforced.
When an IT department introduces a stronger password policy, it needs to make sure that the users and the overall business goals remain top priorities. A policy that is too confining can end up encouraging users to write down their passwords in order to remember them, which can defeat the effort altogether.
The amount of preparation and user education that IT puts forth will determine the success of a password policy initiative. The effort is worthless if users become unable to access the resources they need to do their jobs. Proper planning, user training, and an IT staff motivated to get the users familiar with the new password rules will enable users and administrators to operate more securely.