Implementing a Secure Password Policy
By Stephen Bucaro
I don't need to tell you the importance of good network security - but I will. If your network is
compromised, competitors could obtain information about where your company gets their resources,
steal your company's research, learn your company's marketing plans, and other sensitive information
that could destroy your company's competitive advantage. The loss of competitive advantage could
require your company to reduce its labor force - in other words you could lose your job.
If your company's network is compromised, identity thefts could use your company's customers credit
card numbers and social security numbers to steal their identities and destroy their lives. And it's
not only your company's customers who are going to suffer. When the source of the security breach
is traced to your company, the result will be a negligence lawsuit. And after you get a reputation
for being incompetent in the area of network security, try to get a network administrator job at another company.
Having a secure password policy is the front line of network security. What good is a firewall
and ant-virus protection if hackers can easily log on and have their way with your network? A secure
password policy requires the following steps:
• Require users to create secure passwords
• Configure your system for password security
• Disable default administrator accounts
• Create a Written password security policy
• Continuously communicate the password policy
How a Password Cracking Program Works
Hackers trying to break into your company's network will use a password cracking program.
The program runs continuously on one or more computers. At predefined intervals it attempts to logon
to your company's network using the next username and password in sequence in its dictionary. After
a predefined number of failed attempts, it will wait for a predefined interval before making another attempt.
A password cracking program is not so aggressive that its activities are easily detectable. You'll
never know about the hacker's activities unless you carefully analyze your server logs. A hacker will
continue to run the password cracking program for years. They have lots of patience because, after all,
they are just sitting watching TV while the password cracking program trys to break into your company's
network. And when it finally breaks into your system, the hacker can sell your company's customers
personal information for hundreds of thousands of dollars.
Require Users to Create Secure Passwords
Your job, as network administrator, is to force you users to create passwords that are very time
consuming for the password cracking program to discover. In order to do this, users must create
passwords that are not at the beginning of the password cracking program's dictionary. If one of
your users thinks it's cute to use the name of their pet as a password, I can assure you that the
word "scooter" is very close to the beginning of the cracker's dictionary. Your networks security
might not last the week.
Require users to create passwords that comply with the following rules:
• Don't use a persons name, pets name, street name, or name of an activity, event, place or thing
• Don't use any word that would be in the dictionary
• Make the password long, the longer the better (some systems have a maximum password length)
• Use a combination of letters and numbers
• Use special characters, like underscore or exclamation mark (if your system allows special characters)
• Use a combination of uppercase and lowercase letters (if your system's passwords are case sensitive).