Strong passwords are a great start toward protecting clients' data, but clients need policies that clearly state user responsibility for protecting passwords and connections. Here are tips on what clients should include in their password policies.
Passwords are the lock and key to your clients' data. While strong passwords are important, clients need to take security a step further and have a solid policy in place on password usage and protection.
Use these tips to help clients write and adopt a policy that protects their data and their users by protecting their passwords.
Some rules regarding passwords seem obvious, but don't take anything for granted. All password policies should state the following in some form:
- Users should never share passwords with anyone else by speaking, writing, e-mailing, hinting at, or blatantly supplying any password. In some cases, this might even apply to sharing a password with in-house personnel such as a coworker, a direct supervisor, or even a head honcho. Help clients decide how strictly they want to enforce this rule in-house.
- Users should never share passwords with other users who need to access your accounts in your absence. If users need access to your data, they should arrange with their in-house administrator or you to create a temporary account with the appropriate permissions.
- Users should never write down their passwords and leave them visible or easily accessible. That includes taping the list to the back of a monitor or the bottom of a keyboard or thumbtacking it onto a bulletin board. Also, don't leave a list of passwords in an unlocked desk drawer or file cabinet.
Passwords slow down a would-be data thief, whether they're internal or external, but systems also need to react appropriately to a possible invasion. Help clients adopt the following policies, as appropriate:
- A good guess at a password can get an intruder into your system quicker than you might think. Limit the number of times users can attempt to log on. You can help clients determine the right number (it's usually between three and five). Once the user reaches the log on limit, the system should automatically lock out the user for several minutes. The user can try again later or contact their in-house administrator (or you) to release the account.
- Users should not use the following pieces of data when creating passwords (if the client's system allows users to create their own passwords):
- Any part of their name or their account name; any part of any family members' names; any part of a pet's name; any part of the company's name; any part of your name or your consultancy's name. In short, no names, period.
- Any part of their social security number; any part of anyone's social security number.
- Any part of their birth date; any part of anyone's birth date.
- Any portion or their address; any portion of the company's address; any portion of your address.
- No nicknames- No slogans, logo text, company jingles, and so on
An active connection requires no password — the user has already gone through the process of entering their password to gain access. Anything that user can access is vulnerable if they leave their system unattended. For that reason, it's imperative that users log off the network when they're done working or even if they leave their workstation for a few minutes. Here are possible logging out rules clients may want to enforce in a policy:
- Users should never leave an active connection unattended.
- Users should log off their network account when done working for the day.
- Users who store confidential data locally should never leave their systems unattended, even if their confidential files are password protected. You can help users by enabling a password-protected screen saver on their systems.
- Users who store confidential data locally should log off their PCs when done working.
- Users who store confidential data locally should password protect their systems.
Passwords are the first line of defense in protecting data, but strong passwords aren't enough. Users must carefully guard their passwords and connections. Clients should apply these policies to all access, not just general user access. For instance, administrators and technicians should be subject to the same rules as users. In short, anyone with access to any part of the system should follow the same general password guidelines.
Additional TechRepublic resources
- TechRepublic Pro: TechRepublic's Password Policy
- Help users create complex passwords that are easy to remember
- Has the time arrived for all holdouts to adopt strong passwords?
- Automatically generate and assign strong passwords in Windows XP
- Select strong passwords that baffle the bad guys: Apply the principle of character diversity
- Presentation: Raise user awareness about password security
- How do I... Generate strong passwords with PHP, PEAR, and PECL?
- Store passwords with pwsafe