Passwords are the underlying prerequisite for almost all security solutions. Even the best firewall or VPN is useless if someone can get your passwords and study after study has shown that the vast majority of security breaches come from poor password management. When you start thinking about security, start by creating a solid Password Policy for your business.
A good Password Policy should set requirements for length, complexity, regular password changes, and history:
- Length – passwords should be at lest 6 to 8 characters long.
- Complexity – passwords should contain numbers and/or “special characters” as well as letters. Special characters are things like: !@#$%^&*><?. Most network passwords are case sensitive so mix it up between lower and uppercase letters.
- Regular Changes –All passwords should be changed regularly. A requirement to change passwords every 90 days is common.
- History – Require that the same password cannot be used over and over.
This may seem like a lot to keep track of but if you have a Windows server it can all be done automatically. With just a few minutes of configuration this can all be set for the server to enforce. When its time for a user to change their password, they will be prompted with a message that they need to do so, and then prompted for a new password.
Many people complain that they can’t remember long complex passwors but there are ways to make it easier to remember. Let’s say you were using your child’s first name (Susan) as a password. You can still use the name Susan on your password by just adding some frills to it. Try “1suSan!” or “suSan1” or “ilOve!susan” as a way to make it much more secure.
Windows passwords can be fairly long so you don’t need to stick to just a single word. Try a pass phrase instead; “I love USC football!” or “Fight on for Old SC!” or “trojaN nationaL championS1” all make excellent passwords and are easy to remember.
Many businesses resist having users set their own passwords because they want a centralized list so they can log into user PCs when they need to. Unfortunately this is very insecure. Remember that, even if you don’t know a user’s password, you can quickly and easily change it at any time to get access to their computer.
Some passwords can not or should not be managed by an automated password policy. The passwords for your administrative user accounts should be set manually as there are often more steps involved after changing these passwords. Also, passwords for stand alone devices like firewalls VPN gateways cannot be managed automatically and therefore must be done manually. Even though these exceptions are handled manually the password rules still apply. Make sure you set good passwords for all these situations.
Passwords are the lynch pin of security. They are the basic starting point upon which all other network security relies. It costs little in time or money to implement good password policies so you may as well start today!