It's probably worth a few minutes to talk about what constitutes a bad password.
Anything guessable is bad. Anything that's easily compromised through brute force is bad.
OK phew, that was hard! Now, on to the specifics. Users often don't really have a clue about passwords in general and see them as at best a necessary evil and at worst a horrible pain in the ass. Users will go to heroic lengths to "beat the system." Getting around these problems often involves management, but at least be vigilant for what happens.
Using really poor passwords: People use the names of their kids, their pets, their address, their kids' birthdays, their pets' birthdays, etc. These are all very easily guessable, bad passwords. The ultimate cliche is a password of "password." BAD USER! NO COOKIE! You'll see other common passwords like favorite sports teams, TV/movie characters, cities, states, brand names, etc. used. Your defense against this is setting up a password system that requires complexity and tests for dictionary words and other likely bad passwords.
Practicing Poor Password Security: Taping your password to your monitor, the underside of your keyboard, or scribbling it on the bottom of the tissue box all happen, often. No matter how complex your passwords are, writing it down in a public space removes all security. Anybody who can get to their desk can get in with their passwords. All you can do is have a policy set up such that when this is caught, the user gets their proverbial hand spanked, changes their password immediately and is informed not to do it again.
Using the Same Password in too many Places: This is another easy one, but hard if not impossible to test for. At least encourage your users to use different passwords for work than for any other use and if you have a more secure network or if they act with higher privilege than normal, ask them to use a 2nd password for that task so that a single compromise won't compromise every system.
Re-using the same passwords excessively: So if you have a password policy that the user has to change the password monthly, and can't use the same one doesn't preclude the user from just having two passwords and rotating them monthly. You can set policy such that they can't re-use more than X number of passwords (3-6 is common.) That's actually pretty reasonable. If users rotate a larger number of passwords less frequenty, it's not so terrible. The danger comes in when users combat this annoyance by just changing one character or identifier in the same base password. If "Password1" just becomes "Password2", the whole point of rotating passwords has just been invalidated. If you can, ensure that when a user changes a password that it's >1 character different from the old one.
But sometimes, admins fail as well. I've seen a production database system that contained credit card data at a major company that was just secured by a password-- not a username/password pair. Understanding that people are lazy, a co-worker sat down one slow afternoon and tried strings. About one in four turned out to be a valid password. These weren't exotic strings either-- mostly sports teams, common dictionary words, etc. Thankfully the admins realized this was a huge security hole and fixed it in short order.
If you can, ensure that passwords are as complex as possible and be vigilant for users trying to undermine your best efforts.
Subscribe to:
Post Comments (Atom)
Posts
1 comment:
Help,
I have been attacked by a bad network person. I only know of two and they are both in my family. This has gone on for two years now. I have had file deleted, denied access to my own computers. I have had hard drives wiped. I have a case with the police, yet this person is hiding good. It has been two long hard years. I have been in and out of the hospital over this. What can I do? The bad thing is that these people work as consultants for major companies. As they have almost closed my small non profit company that I started as a single mother to give my children hope.
Post a Comment