The need for an effective password policy is so obvious,
that I have to admit that I almost feel strange even writing an article on the
subject. In fact, I could easily sum up the need for an effective password
policy in a single sentence. You need an effective password policy to prevent
passwords from being guessed or cracked. Even so, there are some organizations
that do not take password security seriously. In this article, I will explain
why an effective password policy is important even in small companies with
minimal security requirements.
I once did a consulting job for a small company with a
rather amusing password policy. The IT staff required the users to use
passwords, but placed no further restrictions on those passwords. There was no
minimal password length or complexity requirement, and the passwords would
never expire. I didn’t want to step on toes, but I just had to ask the guy in
charge about the lack of password security. His response was that password
security didn’t really matter because the users didn’t have rights to squat.
At the time, I let the issue drop because I wasn’t there to
work on security issues. However, I want to take the opportunity now to explain
why having an almost non existent password policy is a bad idea, even when the
users have minimal rights.
The first reason why password security is important is
because the users do have rights to something. Think about it for a minute. The
users wouldn’t even have accounts if they didn’t need access to something.
Whatever resource the users have access to, it needs to be protected.
To see why this is so important, let’s look at the simplest
business model that I can think of, a small mail order business. In a business
like this, the orders would come in either through the Web or by phone or fax.
Your users would be responsible for entering the order into the system so that
the customer’s order can be shipped out.
If a user is only doing order entry, it might not seem that
important for them to have a strong password. However, imagine what would
happen if the user’s password fell into the wrong hands. If the password fell
into the hands of a cyber-vandal, a bunch of bogus orders might be entered just
to mess up your inventory. Worse yet, your entire customer database might be
deleted, or posted onto the Internet. If your competitors got their hands on
the user’s password, they might steal your customer list. If a thief were to
get their hands on a user’s password, they could place bogus orders in an
effort to steal inventory. Likewise, the thief could potentially steal your
customer’s credit card numbers. The point is that this seemingly innocent
account could be used for many different malicious purposes.
Just for the sake of argument though, let’s assume that you
have locked down your order entry system in an effort to minimize the damage
that a single user can do. Even in a situation like that, it is still important
to have a good password policy in place because a hacker can use (and often
does) use a compromised account as a stepping stone toward taking control of
I don’t want to turn this article into a crash course on
hacking, but let’s pretend for a moment that our fictitious company requires
passwords, but has no other requirements regarding them. If a hacker were to
crack or guess the password for an account, even an “unimportant”
account, they will realize that the organization’s password policy is a joke.
They would then likely begin cracking the passwords associated with other
accounts. Even if no single account has the power to do any real damage, the
collective use of multiple accounts could be devastating.
One last reason why a good password policy is important,
even in a small organization is that if someone were to log in with an account
that doesn’t belong to them, it can cause all kinds of problems for the user
whose account was compromised. For example, if a hacker compromised a user’s
account and used that account to launch an attack against other parts of the
system, then your network’s built-in auditing mechanisms will falsely accuse
the user that the account belongs to of launching the attack.
Let’s go back to my earlier example of the fictitious mail
order company for a minute. Suppose that a hacker logged in as a user who is
normally responsible for order entry and started messing around with the order
entry system. If orders are deleted, the user whose account was compromised
could potentially be cheated out of commission related to deleted orders. Never
mind the fact that you will have some upset customers if you “lose”
As you can see, having an effective password policy is of
critical importance, even in small companies. In this article, I have given you
several examples of the damage that can be caused if even a seemingly unimportant
user account is compromised.
You can quickly implement a password policy in your organization by
downloading TechRepublic’s Password Policy. Included you’ll find a risk
assessment spreadsheet that will help you determine the importance of a
password policy to your organization’s security along with a basic
policy that you can use and modify. You can purchase it from the
TechRepublic Catalog or download it for free as part of your
TechRepublic Pro membership.