Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Keep The TechnoWorldInc.com Community Clean: Read Guidelines Here.
Recent Updates
[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[October 17, 2024, 05:05:06 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Ethical Hacking / Security / Viruses » Viruses
 Implementing a Secure Password Policy
Pages: [1]   Go Down
  Print  
Author Topic: Implementing a Secure Password Policy  (Read 643 times)
Daniel Franklin
TWI Hero
**********


Karma: 3
Offline Offline

Posts: 16647


View Profile Email
Implementing a Secure Password Policy
« Posted: September 29, 2007, 03:57:38 PM »


---------------------------------------------------------- Permission is granted for the below article to forward, reprint, distribute, use for ezine, newsletter, website, offer as free bonus or part of a product for sale as long as no changes are made and the byline, copyright, and the resource box below is included. ----------------------------------------------------------

Implementing a Secure Password Policy

By Stephen Bucaro

I don't need to tell you the importance of good network security - but I will. If your network is compromised, competitors could obtain information about where your company gets their resources, steal your company's research, learn your company's marketing plans, and other sensitive information that could destroy your company's competitive advantage. The loss of competitive advantage could require your company to reduce its labor force - in other words you could lose your job.

If your company's network is compromised, identity thefts could use your company's customers credit card numbers and social security numbers to steal their identities and destroy their lives. And it's not only your company's customers who are going to suffer. When the source of the security breach is traced to your company, the result will be a negligence lawsuit. And after you get a reputation for being incompetent in the area of network security, try to get a network administrator job at another company.

Having a secure password policy is the front line of network security. What good is a firewall and ant-virus protection if hackers can easily log on and have their way with your network? A secure password policy requires the following steps:

- Require users to create secure passwords - Configure your system for password security - Disable default administrator accounts - Create a Written password security policy - Continuously communicate the password policy

How a Password Cracking Program Works

Hackers trying to break into your company's network will use a "password cracking" program. The program runs continuously on one or more computers. At predefined intervals it attempts to logon to your company's network using the next username and password in sequence in its dictionary. After a predefined number of failed attempts, it will wait for a predefined interval before making another attempt.

A password cracking program is not so aggressive that its activities are easily detectable. You'll never know about the hacker's activities unless you carefully analyze your server logs. A hacker will continue to run the password cracking program for years. They have lots of patience because, after all, they are just sitting watching TV while the password cracking program trys to break into your company's network. And when it finally breaks into your system, the hacker can sell your company's customers personal information for hundreds of thousands of dollars.

Require Users to Create Secure Passwords

Your job, as network administrator, is to force users to create passwords that are very time consuming for the password cracking program to discover. In order to do this, users must create passwords that are not at the beginning of the password cracking program's dictionary. If one of your users thinks it's cute to use the name of their pet as a password, I can assure you that the word "scooter" is very close to the beginning of the cracker's dictionary. Your networks security might not last the week.

Require you users to create passwords that comply with the following rules:

- Don't use a persons name, pets name, street name, or name of an activity, event, place or thing - Don't use any word that would be in the dictionary - Make the password long, the longer the better (some systems have a maximum password length) - Use a combination of letters and numbers - Use special characters, like underscore or exclamation mark (if your system allows special characters) Use a combination of uppercase and lowercase letters (if your system's passwords are case sensitive).

Configure Your System for Password Security

A hacker's password cracking program can be thwarted by the following system configurations:

- Lock out a user's account after a certain number of failed logon attempts. Sure, a user might arrive in the morning with a hangover and screw up their password two or three times, but more failed attempts than that is probably the result of a hacker. Configure the system to lock out a users account after an unreasonable number of failed logon attempts.

- Configure the time interval of the failed logon attempts lock out. If users understand that after they mistype up their password x number of times, they need to wait 30 minutes before making another logon attempt, they shouldn't be too annoyed. The longer the time interval of failed logon attempts lock out, the more it thwarts hackers. Unfortunately, long lock out periods can occasionally be a problem for a legitimate user.

- Configure Your System to expire passwords periodically. Imagine a password cracking program that has attempted millions of passwords from its dictionary and is getting closer every day to the actual password - and then the password changes. The more frequently passwords change, the more secure the system is. Configure Your System to expire passwords every 60 days or more frequently.

Disable Default Administrator Accounts

Upon installation, many operating systems and software applications have default accounts. Everybody knows the default administrator user name for a Windows server is "Administrator". Everybody knows the default administrator user name for SQL server is "sa" and that, by default this user name requires no password. Perform an audit of the all software and hardware (routers, switches, etc.) on your network to make sure they are not using a default account.

Create a Written Password Security Policy

Put your password security policy in writing. In addition to the items already discussed in this article, put the following rules in your written security policy:

- Don't reveal your password to ANYONE - not a fellow employee (who may quit or get fired and then use your password) - not a service technician (A hacker might call pretending to be a technical support person who needs a password to troubleshoot a problem). If a legitimate technical support person needs your password, change your password immediately afterward. Many security breaches occur when a user purposely reveals their password.

- Don't let anyone look over your shoulder while you log on, and in return don't look over anyone else's shoulder while they log on.

- Don't leave your computer unattended while logged on. Log off, go for coffee, log on.

- Don't leave paper or digital media containing sensitive data laying around. You can't be sure that outside visitors won't enter your area. You can't be sure that a fellow employee isn't out to cause damage to your company.

- Don't discard paper or digital media in public waste containers. "Dumpster diving" is a common way for thefts to acquire sensitive information.

Continuously Communicate the Password Policy

many users hate password policies. They prefer to create a password that is cute and memorable, and never change it. They prefer to be friendly and cooperative with fellow employees and outsiders and share their passwords. They don't understand the value of the company's information and don't like to take the time to be vigilant about not leaving it laying around, or disposing of it properly.

As network administrator, it's your responsibility to continuously communicate and promote the password security policy. Use the company newsletter and meetings to reiterate the password security policy. Also communicate WHY the password security policy is necessary. WHY do employees need to comply with the company's password policy? What will be the inevitable result of failure to comply with the policy? Employees will demonstrate much better conformance to any rules if they understand WHY the rules are necessary.

---------------------------------------------------------- Resource Box: Copyright(C)2005 Bucaro TecHelp. FREE ebooks, software, graphics, certification self tests, Java Script and CSS cut-and-paste code. Learn PC Anatomy, find FREE diagnostic Tools and technical assistance. Learn how to start your own online business and much more! You never know what you'll find at bucarotechelp.com ----------------------------------------------------------

Articles Source - Free Articles

Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Page created in 0.173 seconds with 24 queries.