November 2011 IT Business Consulting Newsletter

Secure Passwords - You need to get this right!

By Tom K

Passwords are THE keys to your Corporate Jewels. They are also an important safeguard to your personal identity. Proper creation and management of passwords is SO important...

We recently found several weak passwords while running a security audit. This is so important, so dangerous, and so easy to correct, I’m pushing Secure Passwords ahead of this month’s scheduled topic.

In this month’s newsletter I discuss what a Secure Password is, methods to create passwords that are secure but easy to remember, and best practices for managing your passwords. I’ll also discuss how to easily auto-enforce Secure Passwords & Password Policies on your networks.


Why Secure Passwords?

Since most Vacation Rental Managers now provide their users with external access to internal company computing resources (programs, email, and file access) it is imperative that all users have Secure Passwords. You have opened doors into your office network to allow this external access, and each user’s network password is one of the keys used to get through these doors.

With the proliferation of on-line banking and purchasing, social networking sites, and personal email accounts, your personal financial status and reputation is at risk if you don’t use Secure Passwords in all of your personal Internet activities.

If your company accepts/processes Credit Cards, the PCI DSS standard requires the use of Secure Passwords within your environment.


What is a Secure Password???

The object is to use a character string that can’t be hacked. Dictionary attacks can run through all the words in the dictionary, and name attacks will run through known names which have been entered into databases created specifically for this purpose and available on-line (if you know where to look!)

A Secure Password is one that can’t be easily guessed, and is not contained in a dictionary or a “name dictionary”. The Secure Password should be easily remembered so you don’t have to write it down (no post-its under the keyboard allowed!!).


Components of a Secure Password

A Secure Password contains at least three of the four following character types:

  • lower case characters (a-z)
  • Upper Case Characters (A-Z)
  • special characters (@, #, $, etc)
  • digits (0 – 9)

A Secure Password is at least 7 characters long.

A Secure Password should be changed every three months.

To make your passwords even more secure, I recommend you use at least one character from all four types and use 8 characters or more.


Try using “Pass Phrases” rather than Passwords

Eight characters using all 4 char types, easily remembered... Hmmmm...

Sounds like a pain, but this is easily accomplished using Pass Phrases rather than passwords. While names and words aren’t allowed as a secure password, they are acceptable when embedded in a “Pass Phrase”.

Here are some examples:

RedSkins21&CowBoys7
WeAre#1!
Route#66
octoberIS#10

Note that it is not recommended that a password include the user’s name (first or last) or any portion of the user’s network or system ID. If a user’s name is Bill Baxter and his ID is BBaxter, stay away from the likes of Bill#4825 or BaxterIs#1. In fact, many systems that verify secure passwords will not allow the use of a user’s name, including the PW verifier in Microsoft networks (see Forcing Security below).


Or Character Substitution within Passwords

Another strategy is to use words or names but substitute special characters & digits for some of the standard characters
(i.e. 1 for i or L, @ for a, $ for s, 0 for o, etc).

Here are some examples, again using 8+ characters of all 4 types:

F1reWall$
e1ePh@nt$
C0mputer$

All examples above are very difficult (virtually impossible) to crack with an automated password hack generator, but all are easy to remember!


How to Change a Password

The User can change her password while logged into a PC by hitting the ctrl+alt+del key combo and selecting Change Password from the menu. If the PC is in a Domain, this will change the User's Domain/Network password. If the PC is not in a Domain, this will change the User's local password on the PC she is logged into.

If you have a Server/Domain environment, a Domain Admin can change any user's PW from the a server using Active Directory Users & Computers or from an SBS console.


Use a Different Secure Password for Each Account

You wouldn't use the same key for your front gate, front door, and home safe so don't do it in your cyber world. Use a different secure password for each account. This will greatly increase your security when using layered accounts (multiple doors) like using a VPN account to get to your network and then your network account to get in.

You wouldn't use the same key for your car, your office, and your safety deposit box, so you should NEVER use the same password with multiple sites, accounts, or locations.

If a site database is hacked and your password is lifted, as long as the password is unique to that site your liability is relatively small. BUT, if you use a common password across multiple sites and services, ALL those assets are now compromised... your potential liability is off the charts, and you’ll have to access every account that used that common password and change it. You’ll also need to monitor those multiple assets to insure they weren’t compromised. Very Ugly!


Forcing Security Within the Company Network

Most VRM companies we work with use Microsoft networks to run and manage their IT resources. If you do, Microsoft has tools built in to their servers that can establish network-wide requirements for Secure Passwords. Depending on your environment, these requirements may be set using wizards or through Group Policy (see our May 2011 Newsletter, Use Group Policy to Centrally Tune YOUR Business Computing Environment). Along with requiring Secure Passwords (forcing complex passwords, # of chars, and PW lifetime), you can also set a number of additional requirements using Group Policy that can greatly enhance your network’s security.

If your network does not use Microsoft servers, Group Policy isn’t an option. But, you can set security requirements on each PC using the PC’s Local Policy settings. This does require that you visit each PC in the company & manually set a handful of policy settings on each PC, but it is not an overly complex process.


If you’d like help enhancing your network security with Group Policy or via Local Policies, or you have any questions concerning Secure Passwords or general Corporate Security, I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.


Next month I’ll get back to discussing the concerns IT should have relating to departing employees, the steps we recommend to properly deal with security and auditing, and different processes used when the departing employee is leaving with blessings or in handcuffs. See "Departing Employee? How to Process them Gracefully and Securely".