Safeguard Your Organization with Proper Password Management
by Rajender Singh - IT Security Consultant - Wednesday, 21 November 2007.
Access control is one way to ensure security in your organization. An intruder can break into your network by compromising accounts with weak passwords. If the compromised account turns out to be a privileged account, or if the intruder escalates privileges, then you may face significant damage to your IT systems.

The first step to prevent such attacks is to ensure your organizationís security policies and procedures incorporate strong and comprehensive account and password management processes. A password undergoes certain states of existence, with owners for each state, who are involved in handling those states. These are:

State
Owner
Account creation
Change management body
Password selection or changing default password
User
Change password after nth day
User
Auto password expiry
System
Auditing systems for weak password
Auditors / Tools / System admin / Security manager


The different stages in password management are: creation, administration and review / auditing. Here are the recommended best practices to ensure comprehensive password management.

Using a strong password

A password must be *strong enough* so that it cannot be easily breached by brute-force or dictionary attacks. The selection of a strong password involves criteria such as the usage of alpha-numeric character sets along with upper and lower case alphabets and the use of special characters. On the other hand, insisting on highly complex passwords may well result in users having problems with remembering these passwords.

Ensure your IT security team and security managers make users aware of the reason behind strong and complex passwords and teach users ways of remembering complex passwords. Functionally, we can surmise the complexity of a password is a function of the length of password and number of character sets available to create that password.

Password complexity = f (length, character set).

Password expiry

Even with a complex password, you could still be at risk. Todayís clustered computing environment could well break your password in a few days or weeks at the most. It is always recommended to change your password after a certain number of days. If you change passwords at a frequency of 30 days and if an intruder works on your password hash and is able to crack it in 45 days, you are still secure as you have changed your password to another strong password, ahead of the intruder.

Limit number of login attempts

At any point of time, an account could undergo password cracking attacks. In such attacks, the attacker uses scripts or tools and tries to use brute-force or dictionary attacks against specific or some users. To guard against such attacks, the authentication system must limit the user to a certain number of (failed) login attempts, after which the account should be locked out. The disadvantage of this approach would be a genuine user not being able to login if somebody is really trying to break into his account.

Spotlight

Lessons learned developing Lynis, an open source security auditing tool

Posted on 15 October 2014.  |  Lynis unearths vulnerabilities, configuration errors, and provides tips for system hardening. It is written in shell script, installation is not required and can be performed with a privileged or non-privileged account.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Oct 20th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //