The importance of an effective password policy

Security is important, but it's easy to overlook the little things--like having effective passwords.

The need for an effective password policy is so obvious, that I have to admit that I almost feel strange even writing an article on the subject. In fact, I could easily sum up the need for an effective password policy in a single sentence. You need an effective password policy to prevent passwords from being guessed or cracked. Even so, there are some organizations that do not take password security seriously. In this article, I will explain why an effective password policy is important even in small companies with minimal security requirements.

I once did a consulting job for a small company with a rather amusing password policy. The IT staff required the users to use passwords, but placed no further restrictions on those passwords. There was no minimal password length or complexity requirement, and the passwords would never expire. I didn't want to step on toes, but I just had to ask the guy in charge about the lack of password security. His response was that password security didn't really matter because the users didn't have rights to squat.

At the time, I let the issue drop because I wasn't there to work on security issues. However, I want to take the opportunity now to explain why having an almost non existent password policy is a bad idea, even when the users have minimal rights.

The first reason why password security is important is because the users do have rights to something. Think about it for a minute. The users wouldn't even have accounts if they didn't need access to something. Whatever resource the users have access to, it needs to be protected.

To see why this is so important, let's look at the simplest business model that I can think of, a small mail order business. In a business like this, the orders would come in either through the Web or by phone or fax. Your users would be responsible for entering the order into the system so that the customer's order can be shipped out.

If a user is only doing order entry, it might not seem that important for them to have a strong password. However, imagine what would happen if the user's password fell into the wrong hands. If the password fell into the hands of a cyber-vandal, a bunch of bogus orders might be entered just to mess up your inventory. Worse yet, your entire customer database might be deleted, or posted onto the Internet. If your competitors got their hands on the user's password, they might steal your customer list. If a thief were to get their hands on a user's password, they could place bogus orders in an effort to steal inventory. Likewise, the thief could potentially steal your customer's credit card numbers. The point is that this seemingly innocent account could be used for many different malicious purposes.

Just for the sake of argument though, let's assume that you have locked down your order entry system in an effort to minimize the damage that a single user can do. Even in a situation like that, it is still important to have a good password policy in place because a hacker can use (and often does) use a compromised account as a stepping stone toward taking control of other systems.

I don't want to turn this article into a crash course on hacking, but let's pretend for a moment that our fictitious company requires passwords, but has no other requirements regarding them. If a hacker were to crack or guess the password for an account, even an "unimportant" account, they will realize that the organization's password policy is a joke. They would then likely begin cracking the passwords associated with other accounts. Even if no single account has the power to do any real damage, the collective use of multiple accounts could be devastating.

One last reason why a good password policy is important, even in a small organization is that if someone were to log in with an account that doesn't belong to them, it can cause all kinds of problems for the user whose account was compromised. For example, if a hacker compromised a user's account and used that account to launch an attack against other parts of the system, then your network's built-in auditing mechanisms will falsely accuse the user that the account belongs to of launching the attack.

Let's go back to my earlier example of the fictitious mail order company for a minute. Suppose that a hacker logged in as a user who is normally responsible for order entry and started messing around with the order entry system. If orders are deleted, the user whose account was compromised could potentially be cheated out of commission related to deleted orders. Never mind the fact that you will have some upset customers if you "lose" their orders.

As you can see, having an effective password policy is of critical importance, even in small companies. In this article, I have given you several examples of the damage that can be caused if even a seemingly unimportant user account is compromised.

You can quickly implement a password policy in your organization by downloading TechRepublic's Password Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of a password policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.