Administrators often have a password security policy in place and diligently work to implement and enforce it, according to the results of a recent NetAdmin survey. However, admins are usually less diligent about using password-cracking tools to audit the strength of their users’ passwords. These survey results provide some interesting insights into the methods that admins use to implement password policies.

Putting a policy in place
When it comes to requiring strong passwords throughout an organization, the first order of business is to implement a password policy. Our poll showed that 83 percent of respondents either have some form of a password policy in place or are currently developing one (Figure A).

Figure A

For information on developing good password security policies, see this article.

Elements of a good policy
We also asked admins about some of the requirements they have established in their password policies to ensure that users create strong passwords. Figure B and Figure C show how many characters admins require users to have in their passwords and whether user passwords must contain special characters.

Figure B

Figure C

Another aspect of a good password policy is requiring users to change their passwords on a regular basis. However, 65 percent of survey respondents either did not require users to change their passwords or required that they change passwords only every three months or longer (Figure D).

Figure D

For an effective technique for creating passwords that are both secure and easy to remember, take a look at this article.

Of course, it’s not enough to simply create a bunch of rules and expect users to implement and stick to them consistently. Password requirements need to be enforced by the software that users utilize throughout a network. The overwhelming majority of respondents to this survey have recognized this need and worked to implement password requirements in at least some of the software on their networks. As you can see in Figure E, only 17 percent of those polled do not enforce password requirements in any of their software authentication mechanisms.

Figure E

Admins have apparently done well at implementing password policies and setting up software to enforce those policies. But they may be coming up short in auditing passwords. As you can see in Figure F, only 22 percent of admins said that they use password-cracking utilities to check the strength of their users’ passwords.

Figure F

These survey results suggest that, overall, admins have recognized that strong passwords are one of the most basic elements of network security. However, many admins need to take measures a step further by regularly auditing user passwords with hacker tools that initiate dictionary attacks and by examining other methods for exploiting weak passwords. Without taking such steps, admins can’t be completely confident that their password security policy is working.