||Add To My Personal Library
November 5, 2010
Vol.32 Issue 23|
Page(s) 33 in print issue
Banish Weak Passwords
Policies To Ensure Passwords Are Safe
• Some applications automatically deny users access if their passwords are weak. Check them out.
• Strong passwords start at the IT level. Managers need to set standard password policies, and it can’t be overstated: Change passwords frequently.
• No two administrator accounts should ever have the same password.
Enterprise security can only be as strong as its weakest link, and more often than not, that weakest link is a password. That’s why, for IT managers, finding and fixing weak passwords is of utmost concern. With that in mind, we’ve compiled some tips from IT experts about what data center and IT managers can do to make sure passwords are as secure as possible.
Establish Password Policies
Password policies need to be set and enforced by IT managers, and all users need to be made aware of best password practices, says Jim Lippie, president of Staples Network Services by Thrive (www.thrivenetworks.com), the IT network services business of Staples Advantage.
If users don’t set ideal passwords, some applications can automatically deny them access until the password is sound, he says. He expects these types of applications to increase as more enterprises move to discourage weak passwords and the security risks that come with them. “But it’s still good practice to educate employees,” Lippie says. “Encourage them to use strong passwords and make them aware of the ramifications of security breaches, including identity theft.”
Remind users that their passwords need to be at least eight characters long, including upper and lowercase letters, and should include at least one special character and one number, Lippie says.
At the enterprise level, IT managers should also set a password expiration date, he adds. And they need to remember to reset passwords when employees leave. A recent Staples Advantage survey of IT practices at small to medium-sized enterprises found that 40% of respondents don’t always change network passwords associated with departing employees, he says. Lippie reminds managers to also change the passwords of any resources to which departing employees had access.
The same holds true for outsourced IT services providers, Lippie adds. “Make sure you know and track the administrator passwords for the applications they’re managing in case you need to manage them yourself in the event of an emergency or need to switch providers,” he says.
Data center and IT managers should bear in mind that insider attacks are just as imminent as attacks from outside hackers, says Chris Stoneff, senior product manager at Lieberman Software (www.liebsoft.com). He suggests managers consider bringing in applications that automatically change passwords daily.
He also recommends all built-in administrator accounts include frequently rotating passwords that differ from one another. No two such administrator accounts should ever have the same password, he says. “This ensures that even if one admin is cracked, it only affects the one account, not every admin for every system,” Stoneff says.
Even when this type of two-factor authentication is used for end users, users must still change their password regularly, he adds. IT managers should advise users who believe their password has been hacked to immediately disconnect their devices from the Internet and call IT, says Christopher Plath, a Best Buy Geek Squad double agent. “Typically, hacking a password involves having malware on the computer, which is an entire issue within itself that needs to be remedied by IT,” he says.
Some of the main targets for password hacking are email, social engineering Web sites, and banking Web sites. Smartphones are now hacking targets, as well, via innocuous-looking applications that users might download, Plath adds.
Cribbed From Consumers
The same password-protection tips Plath gives consumers are even more important for enterprise users, he says. For instance, IT managers should caution their users against setting a personal nickname, pet name, birth date, address, or other public information as a password. “Public records are too easy to get hold of these days and a brute force attack may allow someone to get into your account if you are using one of these as your password,” he adds.
In that same vein, users must never set a variant of their logon identification as their password. For instance, if a logon is JohnSmith, don’t use jsmith, smith.john, or johns as a password, Plath says. Try not to use a password that contains any word you can find in the dictionary, even if these words are condensed and combined, he adds. “Some types of attacks basically try all the words in the dictionary to crack your password,” Plath says. “For example, using purpledog as a password isn’t a good idea. Also stay away from easy patterns on the keyboard such as qwerty or asdfghjk.”
Passwords should be at least eight characters long and contain both numbers and letters. A capital letter or two should be used if the password is case-sensitive. You can substitute numbers for letters: typically 4 for A, 3 for E, 0 for O, and 1 for L.
If the application allows you to use special characters such as punctuation marks, use those along with letters and numbers. For instance !t5As3cr3t would be acceptable. This actually spells out “it’s a secret,” Plath says.
“Some people take a sentence or phrase that means something to them and use the first letters of each word of the sentence for their password. So, “I picked a really good password” could translate to 1pArG00dP, he adds. And he reiterates the advice that can’t be given too often: Change passwords frequently.
by Jean Thilmany
When At Home |
IT managers should also offer password information for users who work from home or use their home computers or laptops for office work in the evening or while on the road, says Chris Stoneff, senior product manager at Lieberman Software (www.liebsoft.com).
If they also use their computers for online banking, home users should be sure to click the Log Off or Sign Out or similar button when finished. This invalidates the logon session stored on the system. Then, close the entire browser. “If you’re using a tabbed browser, simply closing the single tab is not the same as closing the entire browser, which typically clears that information from further use,” he says.
Also, remind all users not to let their browsers store their passwords for them, he adds. Browsers typically don’t store passwords securely. And, again for all users: Don’t let your system auto-logon, Stoneff says. “If your system is configured for auto-logon, Windows will actually store your password in clear text in the Registry of the system in a well-known location,” he says.