A sound password policy alone won't guarantee your company's security, but you have little chance without one.
It's easy to see why. Type the words "password hacking" into any of the major search engines, and you will be rewarded with a bevy of tools offered for various platforms. Individual posts on some bulletin boards also request password-hacking tools for specific systems.
Passwords are the first line of defense. If not handled correctly, "passwords are the weakest link in the enterprise," says Robert Lonadier, president of RCL & Associates, a security consultancy in Boston. "Insiders being far and away the biggest threat to a company, a weak or nonexistent password is the easiest vulnerability to exploit."
A weak password is one that can be easily guessed or broken into with one of the widely available hacker tools. It's not just a matter of someone guessing that your password is a combination of your kids' names, your birthday or anniversary date, or a childhood nickname that you still go by. Some of the hacker tools use dictionaries to test passwords against thousands of commonly used words.
The best passwords use a combination of upper- and lower-case letters and non-alphanumeric characters like the asterisk, exclamation point, dollar sign or percent sign. (For more tips, see the bulleted list at the end of this article.) Best of all is to combine words and characters into a password that can't be found in the dictionary, something like "touch*vote,"
Indeed, that is often the biggest problem with passwords -- that they're so difficult to remember or are changed so often that people put them on yellow sticky notes on their monitors.
"The knee-jerk reaction to a sloppy or weak password is to come up with a way to make them stronger," says Pete Lindstrom, a Boston-area analyst. "There are all these yins and yangs in password policy. The policy can be so strong that it becomes weak because people write stuff down."
And so, in addition to passwords that can't be easily guessed, it's critical to have an accompanying policy: what happens when people forget their passwords, for instance. "How will I know it's you if you're in a remote office?" Lindstrom asks. "You subvert the policy if all you have to do is call the help desk to get your password. You have to figure out how strict you want to be."
One type of technology that can help counter password hackers is automatic log-out. "You can relax the strength of your password policy if you have three strikes and you're out -- a person is locked out for some length of time if they enter wrong passwords three times," Lindstrom says. "If someone can keep battering, it's only a matter of time before they can get in."
Besides a strong password and reset policy, companies need to decide how the password is recorded, or not. "Enforcement is really the hardest part," Lonardier says. "The most effective security organizations work alongside the user community, enabling them to provide access to things as opposed to telling them 'here's what you can't do.'"
Clareon Corp., a Portland, Maine-based maker of electronic-payment software, has implemented a successful enforcement policy. Every three months, the company tests all employees' passwords to see how quickly they can be hacked. "We divide passwords into two camps -- those that are guessed in the first five minutes, and then those that are broken" during the week the test goes on, says Frank Jaffe, chief security officer (CSO).
People whose passwords can be guessed in five minutes then become members of the "five-minute club." Anyone in the club gets a "personal call from the CSO to explain the importance of passwords and how we broke theirs," Jaffe explains. He also offers suggestions about how to improve their passwords.
Anyone in the "club" for three times running then has a password assigned by Jaffe. "If I choose the password, it's really hard, and they can't change it," he says. "They're stuck with whatever I pick for them."
There has been one person in the five-minute club twice, out of the firm's 40 employees (down from a high of 106). Nobody's been a three-time offender, Jaffe says.
People have gotten the message. "The first time we ran the password-cracking routine, we broke every password in the company in seven hours," he says. "The last time we did it, we broke zero in five minutes and after one week we'd broken less than 15%."
What he's trying to do, Jaffe explains, is to "defend against the guys who are guessing" rather than anyone who's using sophisticated tools to break in.
There are also password-monitoring software packages available to organizations. These types of software are ubiquitous and available for every platform imaginable. In addition, operating systems and applications have their own built-in security. Some third-party names in password protection include CONTROL-SA/PassPort from BMC Software Inc. in Houston; P-Synch from M-Tech Mercury Information Technology Inc. in Calgary, Alberta; and Lighthouse from Waveset Technologies Inc. in Austin, Texas. There are many, many products in this space, so it's worth doing some looking around to see what fits one's specific budgetary and technological needs.
These days in particular, passwords can't stand alone. With the Internet providing the predominant avenue for security break-ins, firewall and intrusion-detection software are must-haves in an enterprise-level, layered security architecture. "You can't protect against a buffer overflow attack by using passwords alone," Lindstrom warns.
Creating a good password
- Use between six and 10 digits.
- Use a mix of upper-case and lower-case letters.
- Use non-alphanumeric symbols such as the dollar sign and percentage symbol.
- Make sure the password does not include any word that can be commonly found in the dictionary -- although pieces of words are okay.
- Make sure the password can be remembered without your having to write it down.
- Create a policy to go with the password, including end-user education and enforcement and a procedure for what to do if someone forgets his password or just can't get it to work for some reason.
Sponsored by: EMC
Industry analysts on the benefits of automated networked storage and how EMC is leading the way
Every day, EMC Automated Networked Storage lets IT departments cut 60% out of per-megabyte costs, consolidate storage management and triple disk utilization -- all at a surprisingly affordable price. Find out what analysts are saying about automated networked storage, and how EMC can help you do more with less.
This was first published in November 2002