|
|
|
Articles
|
|
The Importance of Enterprise Password Security
By Bill Carey
|
|
Every IT professional knows that a secure network requires strong passwords, and that there are some simple rules for creating strong passwords.
|
Don’t use words that are easy to guess
Use a combination of numbers, upper- and lowercase letters and symbols
Arrange the characters in a way you can remember
|
One simple method for creating a strong password is to take a familiar word and convert the letters into numbers and symbols. l becomes 1, o becomes 0, a becomes @, e becomes 3, s becomes $, and so on. Toss in a few uppercase letters and you have a pretty good password.
So, for example, “startrek” might become $t@rTr3k.
But every IT professional also knows that if he insists that the users on his network use strong passwords, they're not going to remember them, and he’s going to find them written on yellow sticky notes on the sides of computer monitors, on the insides of desk drawers, or scribbled on the last page of the employee handbook.
This can be very frustrating, but there’s a very simple reason for it. People have to know too many passwords.
network login
bank account login
login to the company website
hotmail
iTunes
eBay
Amazon
YouTube
...and on and on it goes.
Your network users aren't computer professionals. This isn't their thing. The password is simply a means to an end, and they don’t follow the computer geek literature, so they don’t know about the dangers. They also don't have to clean up the mess when somebody gets unauthorized access.
Because it is difficult for a typical employee to remember more than one secure password, they’ll take short cuts, which compromise your security. Your users might use the same login for every situation, or they might write down their passwords somewhere insecure.
A nightmare for IT professionals
The security geeks on your IT staff care about all protecting unauthorized access to documents and systems with secure passwords. They don’t have a hard time remembering 14 different secure passwords, and they can’t understand why the vice president of marketing can’t use a little of that MBA-trained gray matter for something so vitally important.
After all, does he want the night crew to log in to his AMEX account? And when there is a security breach, or when the CEO sees the network password on an old sticky note on the kitchen floor, who’s going to get blamed?
Why Passwords Matter
Your company’s data can be lost or stolen if network users don’t follow basic security procedures. Lost data can mean
- lost time,
- lost money,
- a lost competitive edge, and
- crippling liability, if you lose customer or client data
|
In addition to the threats to the company, users on the network face personal losses through identity theft.
Identity Theft and Phishing
Identity theft was the most-reported complaint to the Federal Trade Commission in 2004, up 15 percent from 2003 to 247,000 complaints. With increasing use of the internet – for customer service, bill paying, and almost every area of life – this problem will only increase.
“Phishing” and “password hacking” are two popular identity theft practices.
Phishing is a widespread form of Internet piracy that “fishes” for passwords, account numbers, Social Security numbers and personal financial information, often by means of phony emails that mimic legitimate companies.
A phishing email may request the user to update or verify his account information. It may look like it’s from eBay, with the eBay logo, font specs and colors, but it takes the unsuspecting user to another web page where it collects personal information.
Strong passwords by themselves aren’t enough to combat phishing. Users need to be warned about phishing scams and told how to avoid them.
Password hacking is simply when the identity thief guesses at passwords based on personal information, or through the use of password-hacking software. Guessing a password can often be quite easy, because most people create their passwords from...
|
Their name or initials
A child’s name
A pet’s name
The local football team, or
A favorite sport or hobby
|
IT professionals need to train employees in best practices for secure passwords, and in how to avoid these sorts of scams. The “Guidelines for Secure Passwords” handout at the end of this document can be used to educate network users and to help them understand the basics of secure password management.
Effective Password Management Saves Time and Money
The most immediate and direct benefit of a strong password policy and an educated group of network users is increased security, which is certainly worth the time and effort. You don’t want hackers hunting through your network for your proprietary information, or, heaven forbid, for customer data.
A strong password policy coupled with a little education about identify theft scams can result is a happier, more productive staff. And if employees can get the message and follow some simple rules, it can save your IT staff and help desk lots of time – with fewer calls to reset passwords.
Summary
In today’s wired world we seem to need a password or PIN for everything. Remembering all these passwords can be annoying and somewhat overwhelming. An effective password policy – coupled with some basic user training – can make strong password management a lot easier, and can protect against identity theft and unauthorized access to your network.
Guidelines for Secure Passwords
Don’t...
|
Use dictionary words, proper nouns, foreign words or backwards words.
Use personal information in your password, such as your name, your child’s name, your occupation, telephone number or birth date.
Share your password with anyone! Not your spouse, secretary or boss.
Write your password on a post-it note or anywhere that’s easy accessible. It’s best not to write it down at all.
Rely on Internet Explorer’s AutoComplete function. This is an insecure method of storing your passwords on your computer.
Allow a website to store your password. Passwords saved on remote servers are not secure.
Keep a record or list of your passwords in an unencrypted file on your computer or PDA.
Choose or change your passwords on a public computer or in a public place such as an Internet café.
Use the same password on multiple accounts.
Use common words for passwords, such as password, qwerty, 1111, admin, etc.
|
Do...
|
Use a combination of upper- and lowercase letters, numbers and special characters.
Make your password at least 6 characters long.
Change your password regularly – at least once every three months.
Log off after you have finished using a site and close your browser to prevent others from gaining access to any persona details online.
Make the password hard to guess but easy to remember by following these rules.
|
1. Use the first letter from every word in your favorite express, lyric, poem or movie. For example, “To boldly go where no man has gone before” could lead you to the following password: 2Bgw^Mhgb4
2. Choose a word as your password, but substitute similar looking numbers for letters. For example, Football may become F00t*@77 or sneakers may become $n3ak3rs.
3. Choose a password that you want to use and come up with a keystroke mapping system. For example, if you choose to do an “upper-left” keystroke system you would choose the letter to the upper-left of the actual key you wanted. So “hellobob” would become “t3ii9g9g.”
About the Author:
Bill Carey is the Vice President of Business Development at Siber Systems. Siber Systems creates and markets a wide range of software to both professional programmers and the general public. For more information visit www.roboform.com/enterprise
Go Back
|
|
