The first step to prevent such attacks is to ensure your organization’s security policies and procedures incorporate strong and comprehensive account and password management processes. A password undergoes certain states of existence, with owners for each state, who are involved in handling those states. These are:
Change management body
Password selection or changing default password
Change password after nth day
Auto password expiry
Auditing systems for weak password
Auditors / Tools / System admin / Security manager
The different stages in password management are: creation, administration and review / auditing. Here are the recommended best practices to ensure comprehensive password management.
Using a strong password
A password must be *strong enough* so that it cannot be easily breached by brute-force or dictionary attacks. The selection of a strong password involves criteria such as the usage of alpha-numeric character sets along with upper and lower case alphabets and the use of special characters. On the other hand, insisting on highly complex passwords may well result in users having problems with remembering these passwords.
Ensure your IT security team and security managers make users aware of the reason behind strong and complex passwords and teach users ways of remembering complex passwords. Functionally, we can surmise the complexity of a password is a function of the length of password and number of character sets available to create that password.
Password complexity = f (length, character set).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.