Essentials of Proper Password Protection

Re-published with permission from White-Collar Crime Fighter, www.wccfighter.com.

It may sound surprising, but too many companies still don't live by the seemingly obvious rule that computer security is heavily dependent on a tight password protection system...and that the password system in turn depends on the passwords being kept secret at all times.

Problem: A password is vulnerable to compromise whenever it is used, stored or even known. In a password-based authentication function implemented on a system, passwords are vulnerable to compromise due to six essential aspects of the password system...

  1. A password must be initially assigned to a user when he or she is admitted to the system. Vulnerability: Potentially malicious tendencies on the part of the issuer--usually the system administrator.

  2. A user's password should be changed periodically. Vulnerability: The longer the user uses the password, the more time an attacker has to crack it.

  3. The system must maintain a "password database." Vulnerability: If the database is compromised all passwords may be compromised.

  4. Users must remember their passwords. Too many passwords and users begin to write them down or use common names such as family, friends or birthdates.

  5. Users must enter their passwords into the system at authentication time. Vulnerability: Shoulder surfers can pick up the password when the user enters it.

  6. Employees may not disclose their passwords to anyone. Vulnerability: Sometimes attackers will pose or spoof themselves as managers, administrators or other high-level people within the organization. Users must never disclose their passwords, no matter who has asked for them.

To mitigate some of these risks, formulate and enforce policies based on your organization's specific needs.

Examples: You can specify minimum password length...no blank passwords...and maximum and minimum password age. You can prevent users from reusing passwords and/or require users to include specific characters in their passwords.

Other options include use of expensive but effective technologies such as biometric scanners and smart card readers. These are generally used in conjunction with password systems in high-security environments.

White-Collar Crime Fighter source: Edmund J. Pankau, a nationally renowned author, CPP, CLI, DABFE (Diplomate, American Board Forensic Examiners), President of Pankau Consulting, a Houston-based international security consulting agency.

You may like these other stories...

How are you planning? What tools do you use (or fail to use) for forecasting? PlanGuru is a business budgeting, forecasting, and performance review software company based in White Plains, N.Y. AccountingWEB recently spoke...
Event Date: October 30, 2014, 2 pm ETMany Excel users have a love-hate relationship with workbook links. For the uninitiated, workbook links allow you to connect one Microsoft Excel spreadsheet to other spreadsheets, Word...
Event Date: September 9, 2014, 2:00 pm ETIn this session we'll discuss the types of technologies and their uses in a small accounting firm office. Included will be:The networked office: connecting everything together for...

Already a member? log in here.

Upcoming CPE Webinars

Aug 21
Meet budgets and client expectations using project management skills geared toward the unique challenges faced by CPAs. Kristen Rampe will share how knowing the keys to structuring and executing a successful project can make the difference between success and repeated failures.
Aug 26
This webcast will include discussions of recently issued, commonly-applicable Accounting Standards Updates for non-public, non-governmental entities.
Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.