Enforcing password policies

Recently, my colleague Linda Musthaler wrote about moves to secure business PCs. She covered physical security efforts, such as cable locks and asset tags, as well as some more sophisticated tools that you may not yet have in place. These are all good ideas, but don’t forget the importance of using the tools already available to you and enforcing the policies that you already have in place. Specifically, I’m referring to your company’s password policy and its enforcement. 

We all know the basic characteristics of strong passwords, and a few password do’s and don’ts. Still, it’s a good idea to review these from time to time, remind your end users of them, and check to see how good you are at enforcing your password policies.

* Five characteristics of strong passwords:

1. Mixed characters.

  Decide how tough you want to be about requiring mixed characters in your passwords. On systems that allow all-ASCII characters, there are four groups to choose from: uppercase letters, lowercase letters, Arabic numbers, and special symbols. For example, maybe you’ve decided that passwords must contain at least two letters and at least one number or special symbol. A tougher standard would require at least one character from each of the four groups. For systems that do not allow special symbols in passwords, you still can require a combination of uppercase letters, lowercase letters and numbers.

2. Optimum length.

 Is your standard strict enough? An eight-character password can be an order of magnitude tougher to break than a six-character one.

3. No easy-to-guess words.

Obviously, you prohibit users from using their names, but be sure that company names and product names are not used either.

4. No repeats.

 Old passwords must not be re-used. Are any of your users just toggling between two different passwords?

5. No obvious similarities.

Most of the characters in a new password should differ from those in the old one.Users shouldn’t be allowed to simply interchange upper and lower case letters.

* Eight deadly password sins:

1.  Not changing passwords regularly.

Initial passwords should be set by the system administrator and scheduled to expire upon first use. Check to be sure that initial passwords are distributed to users in a manner that protects their privacy.  How often should you require that passwords be changed? Some companies require a change every quarter; others require it every six months. Remind your users that passwords should be changed immediately if they suspect that they have been compromised. Users whose credentials allow them administrative privileges should have their passwords managed through a separate control process, and you should require them to change their passwords more often than ordinary users.

2.  Letting network password expire.

Passwords should be changed before they expire to avoid forced password resets, which could occur at an inconvenient time. Forced password resets do not always work properly for remotely connected clients.

3.  Passwords that are too complicated.

If passwords are too difficult to remember, users might violate the rules and write them down.

4.  Passwords constructed by using character substitution in dictionary words.  

Recognizing that certain numbers resemble letters (“1” looks like “I,” “2” looks like “Z,”  “3” looks like a backwards “E”), some users may think that a good password could be one that substitutes these characters in an easy-to-remember word.  But substituting look-alike numbers does not ensure that the password won’t be looked up in an online dictionary.  Likewise, never use any word in a dictionary spelled backwards.  Hacking tools are available that will crack these kinds of passwords.

5.  Resetting passwords when logging in to Outlook.

The “change password” option in Outlook does not work consistently.

6.  Resetting passwords while connected to more than one system.

Power down any additional systems (including PDAs, Blackberries and other PCs) to prevent account lockouts.

7.  Changing passwords immediately before vacations, holidays, or weekends.

Passwords reset right before leaving for an extended period of time are harder to remember. Passwords changed early in the day and early in the week are less likely to be forgotten.

8.  Answering “yes” to a “remember password” option.

This stores the password in a file on the local computer.

* Enforcing password policies

You should have a password policy at your company that includes an enforcement procedure. The policy should include end-user education, what to do when users forget their passwords, automatic logout after a specified number of logon attempts, and policies regarding the recording and auditing or testing of passwords.

A number of software programs are available for establishing and monitoring your password policies. A few of them are listed here:

Password policy model from SANS (SysAdmin, Audit, Network, Security) Institute

https://www.sans.org/resources/policies/Password_Policy.pdf

Password Defender, an automated solution for ensuring password quality on Windows networks

https://www.littlecatz.com/defender_info.html

Password Policy Manager, available for Novell NetWare, Windows NT, and Windows 2000

https://www.altman.co.uk/ppm.htm

Password Manager, a tool that enables end users to manage their passwords themselves

https://www.waveset.com/Solutions/Lighthouse/Password_Manager/index.html

BMC Software’s CONTROL-SA/PassPort is a comprehensive product for enterprise password reset and synchronization

https://www.bmc.com/products/documents/47/46/4746/4746.pdf

Wayland Hancock is business technology editor at Currid & Company, a Houston IT assessment company. You can reach him by e-mail (hancock@currid.com). Learn more about Currid & Company at www.currid.com