A Real-World Password Policy For Your Firm

By, John D. McCall, MCP, Boomer Consulting, Inc.

Security is the prevailing concern in the world of technology today.  Everyone, not just IT professionals, should be worried about the security of their data.  Network Administrators go to great lengths to secure their networks from attacks, both internal and external.  Perhaps the most overlooked layer of security is also the most potentially dangerous – passwords.  This layer of security relies on you, the user, to ensure that your password is protected and private.  Passwords are your key to the network.  They give you access to some very important and very sensitive resources.  Every organization needs to adapt a password policy to ensure that passwords are kept secure and confidential.  Some networks have no password authentication at all.  Other organizations have ultra-restrictive password policies.  An example of such a policy appears below:
 
Users must:

  • Use at least 6 characters
  • Use at least two letters (one uppercase and one lowercase)
  • Use at least one number
  • Use at least non-alphanumeric character: {}[],.;:'"?/|\`~!@#$%^&*()_-+=
  • Change their password every 45 days (a password expiration policy mandated through the network)

Users must not:

  • Use a whole word (a dictionary word)
  • Reuse a previous password
  • Write their password down
  • Store their password in any electronic document
  • Share their password with anyone else

This is an example of a great policy that covers all the bases.  Passwords created under these guidelines would be very difficult for an attacker to retrieve.  Unless both your IT Department and your users are obsessive, however, chances are this policy will not be effective in practice.  Although you can mandate this as a policy, what are the odds you will be able to enforce each one of the points listed above?  There are two main problems with passwords which this policy attempts to address but ultimately will fail to do so.

The two biggest problems with passwords are "memorability" and "shareability".
 
"Memorability" deals with the ability for a user to remember his or her password.  If no policy is in place, the user is likely to pick something very easy to remember, like the name of a child or a favorite sports team, or worst of all, simply "password".  These are fairly easy targets; an attacker can establish these without much effort.  As stricter password policies are implemented, it will be more and more difficult for a user to remember their password. 
 
Take the above restrictions, for example.  An acceptable password that meets all the listed criteria might be "Pa$$w0rd".  This should be fairly easy to remember.  The problem arises in 45 days, when the password must be changed.  The new password may be "pa$$W0rd", the next "pA$$w0rd".  As these passwords are changed, it will be increasingly difficult to remember what combination of letters, cases, numbers, and symbols are used.  It will also be difficult to remember what has been used in the past, since the reuse of a password is restricted.
 
So what does a user do when he or she has a hard time remembering a password?  They write it down.  Often, this is a simple sticky note under the mouse pad, in a desk drawer, or, worst of all, taped to the monitor.  This is obviously not a good practice; passwords that are this easily accessible are just asking to fall into the wrong hands.  Not to mention, these are also the first places an attacker might look.
 
Another trick users do to help remember passwords is to assign a number sequence to them.  For example, "Pa$$w0rd01" followed by "Pa$$w0rd02" and "Pa$$w0rd03".  Sequential passwords can be very insecure; if an attacker somehow figures out the password, all they would have to do is determine what number you are on in the sequence.
 
The best cure for "memorability" problems is to form good password habits.  This might be accomplished by loosening some of your policy restrictions; shortening the frequency of password expiration to reduce the number of password changes, for example.  Even better, have users experiment with different methods of creating passwords.  Use letter combinations to represent phrases that you can remember.  For example, "bBma3.14" could represent "Bye, Bye, Miss American Pie".  Get creative!  Anything that will help you remember your password without needing to write it down.  The trick is to educate users across your organization to help them form good habits; otherwise, the sticky notes will start to appear and that is what you want to prevent!
 
"Shareability" refers to the sharing of passwords.  There are several instances where passwords may be shared between users.  Often, in an environment when multiple users work need access to the same machine, they will simply share one user’s password.  Another common instance of sharing occurs between a manager and an assistant, where the manager needs the assistant to handle a duty that requires the manager’s level of access.  "Shareability" issues can be fixed through the permissions granted to each user account through the network.  A model network should completely prevent the sharing of passwords.  Each user should have access to the resources they need to do their job and should not need to use anyone else’s passwords or share their own.
 
The best policy for passwords is be smart.  Understand what privileges are associated with your password and treat its security accordingly.  I compare a network to a paper office.  There are some documents that are pretty harmless; you may leave these lying on your desk.  There are other documents that are very sensitive; you might keep these in a locked fireproof box.  A network is the same way; there are some items that are very public and some items that are very private.  Chances are you have access to some fairly private, sensitive information.  That access is granted through your password.  Safeguard that password with the same level of security as you would the information it protects.

By, John D. McCall, MCP, Boomer Consulting, Inc.
610 Humboldt, Manhattan, KS  66502
Email: john@boomer.com
Phone: 785-537-2358 / 888-266-6375
Fax: 785-537-4545
 
John D. McCall is the Network Administrator and Webmaster for Boomer Consulting, Inc., an organization devoted to the application of computer technology and management consulting, located in Manhattan, Kansas.

You may like these other stories...

Event Date: May 29, 2014 In this presentation Excel expert David Ringstrom, CPA brings you up to speed on the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both...
No field likes its buzzwords more than technology, and one of today's leading terms is "the cloud." But it's not just a matter of knowing what's fashionable. Accounting professionals who know how to use...
There is a growing trend of accountants moving away from traditional compliance work to more advisory work. Client demand is there, but it is up to the accountants to capitalize on that. What should accountants' roles be...

Upcoming CPE Webinars

Apr 17
In this exciting presentation Excel expert David H. Ringstrom, CPA shares tricks that you can use with pivot tables every day. Remember, either you work Excel, or it works you!
Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.