Password Policies

The combination of a user name and password are the first and in many cases the most important layer of network security available.  Access to the network and its available resources is granted based on the username provided.  A user’s network username is a relatively well known and publicly used identity.  It is used to send email, author documents, and to access resources available on the network.  This identity is trusted because the end-use possesses a secret that is attached to that identity, the password.

A password is a secret used to validate the identity of a user and protect the network and its users from unauthorized access.  The only thing protecting the integrity of that network then is the password.  If a username and password combination is compromised, the integrity of network security and the resources it protects has also been compromised.

The Policy

Generally, a Password Policy is put into affect on a network by the network’s administration.  This policy effects several aspects of passwords and how they relate to network security.  The characteristics of a network password are controlled so they are consistent throughout the organization and conform to certain rules when they are created, changed, or stored.

This policy can be enforced technologically or procedurally.

Password characteristics are:

• Length – The minimum password length policy setting determines the least number of characters that can make up a password for a user account. You can select a value of between 1 and 14 characters, or establish that no password is required by setting the number of characters to 0.
• Complexity – Passwords must contain three (3) of the following four (4) types of characters.
  • Lower case characters – the letters “a” – “z”
  • Upper case characters – the letters “A” – “Z”
  • Numbers – the numbers “0” – “9”
  • Special characters – the characters
    [! @ # $ % ^ & * ( ) – _ = + [ ] { } ; : ‘ “ , . <> / ? ` ~ \ | ]
• Expiration – all users on for the network will be forced to change their password at least every forty-five (45) days. A reminder will be given to the user when he or she logs on to the network starting ten (10) days before their password must be changes.
• History – passwords can not be reused. A network user must use five (5) unique passwords before they are allowed to reuse an old password.
• Minimum Age – passwords may not be changed more frequently than once per day. This policy is in effect to prevent users from changing their passwords five (5) times in quick succession to bypass the History requirement.

To adequately protect against a brute force attach, a minimum password length of  at least 8 characters is required in conjunction with password complexity and a Lockout Policy.  In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember.  This value will help provide adequate defense against a brute force attack.

The Lockout

To protect the network and its users from unauthorized entry a Lockout Policy has been implemented on the network to limit the exposure of the network’s usernames and passwords to the outside world. If a user attempts to logon to the network repeatedly without success their account will be disabled for a period of time. This policy is designed to prevent outside users from using scripts and hacker programs to guess a user’s password.

• Threshold – any user that attempts to log on to the network more than four (4) times in quick succession will have their account automatically locked out.
• Duration – once an account has been locked out, it will be unusable for thirty (30) minutes. After the lockout duration has expired a user can, again, log on to a network workstation and continue as normal. A user can contact a network administrator to unlock their account prior to the lockout duration.
• Reset – if a user attempts to connect to the network using a bad password a counter will be started to track the number of times the account is used with a bad password. This counter will be reset five (5) minutes after the last time the account is accessed or when a successful logon occurs, whichever comes first.

Changing Passwords

Changing passwords is a requirement for all users of the network. Every time a password is used it runs the risk of being compromised. Because of this, passwords are periodically forced to change to limit the exposure to risk.

Users can change their password from any machine connected to the network. You must currently be logged onto a workstation to change your password. This requirement prevents unauthorized users from attempting to change your password.

You should also be careful about where you save your password on your computer. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember your password. Do not select that option.

To change a password, while logged on, a user can press CTRL+ALT+DELETE and click on the Change Password button in the Security Dialog Box. The user will be prompted to enter their old password and to enter their new password twice.

The Trick

Creating good passwords can be a challenging process. The fact of the matter is the easier a password is to remember the easier it is to crack and visa-versa. Therefore, good passwords must be used and the memory must be taxed. Several rules and an example for creating good passwords have been given below.

1. Do not use names or dates of events and people that are easily traceable to you, for example, the name of your spouse or your anniversary are bad passwords.
2. Do not remember your password by placing it on a post-it note attached to your monitor, or under your keyboard, in fact do not store your password on paper.
3. Try to select a password that has some obscure meaning to you so that it is easy to remember, like the title to you favorite song title.
4. Password hackers use dictionaries programs to randomly guess passwords. Change letters in your password to numbers and special characters where they substitute easily, for example: the letter “E” looks like to number “3” backwards, the “O” looks like the “0” etc. Use your imagination.

An Example

1. Pick a word or string of words that are easy to remember. Octopus
2. Change the letters that look like numbers to numbers. In this example the letters “o” and “s” look like the numbers “0” and “5” respectively 0ct0pu5
3. Remember that you have case (upper and lower) available to you. The capital “O” in Octopus translates to the number “0”, keep the case, SHIFT-“0” is “)” )ct0pu5
Now that’s a good password

Note: please do not use this example or password as your own, it’s pretty easy to guess now.

Password Hints

 Never share your password with anyone.
 Never use your network logon password for another purpose.
 Use different passwords for your network logon and the Administrator account on your computer.
 Change your network password every 30 to 60 days or as often as required in your specific environment.
 Change your password immediately if you think it has been compromised