Password policy enforcement

Scott Pinzon’s article on password policy enforcement discusses the issues of policy implementation within a company. According to a UK study from 2004, employees could be incented to divulge their password rather easily. The study indicated that 70% of users would tell a stranger their computer password “in exchange for chocolate”.

However, what if we turn the equation around: try to make up specific mechanisms to incent the users to abide by the password policy rules. For instance, management could offer any user who follows the policy perfectly for a year a $100 gift certificate. Although it may seem absurd to pay the people just for getting them to do what they’re supposed to be doing already, such policy enforcement method may be very effective compared to the security risks the company faces when its security is breached.

Compared to the accountability you lose when users share their passwords and turn an individual account into a group account, a hundred bucks is cheap. Compared to the resources compromised on your network when an attacker cracks a 120-day-old password, a hundred bucks is dirt cheap. Compared to the cost of having every user take a class on computer security, a $100 prize is an economical way to generate a security-aware corporate culture.

Although passwords do not provide adequate protection for today’s networks, the “username and password” authentication remains the only access credentials that most small business networks require. So until new authentication methods are available, such as smart cards, tokens, or other two-factor authentication techniques, we need to work on password protections to be “good enough”.

This blog is run by the authors of Find Protected, an effective information security solution.

Leave a Reply