Strong password policy

Alistair McDonald’s article on password policy describes the key elements of the corporate security strategy.
Modern corporate life requires considerable dilegence, adhering to legislation, and many other distractions from the core business of an organisation. Where computers are concerned, there is potential for abuse of corporate systems, infection of corporate systems with viruses, trojans and other malware, and damage to reputation through hacking and improper use of resources by employees.
Each organization needs a comprehensive security strategy which provides for the proper location of protected files, authorization techniques, employees’ access rights, as well as a strong password policy. Password policy is a key element in creating a comprehensive security strategy.

Password policy should contain the folowing rules:
1. Never base a password on a single word. A password should be at least eight characters, and ideally 12 or more. The longer a password, the less chance of a hacker breaking it quickly. To connotate two words will create a longer word, but hacker tools will search for this, and it is better to misspell one or both of the words, so a straight dictionary approach will not work. Try to avoid using words in your passwords that can be associated with you or your work. Passwords must be based on a random combination of words. You can also replace occasional letters with numbers or punctuation marks. Using both upper and lower case will definitely help too.

2. Never write passwords down in an easy to read form. If you do write them down, try to disguise them. Never leave passwords near the PC.

3. Never share accounts or give out passwords.

4. Never use a work password for leisure. Sharing a password on more than one system will make the user’s life easy as they only have to remember one password. Single-sign-on systems can be very useful in the corporate environment, but users should not use their work passwords for any systems they use at home. Some websites and applications don’t give enough protection to its accounts, so the password may be easily intercepted. If you use similar passwords for a number of services, once the attacker intercepts a single password, he may access a large amount of information.

5. Reset accounts as soon as employees leave the firm. Every account that employees have access to should have its password reset as soon as they leave the building. The manager can take control of the accounts if required, but the passwords should be reset as soon as possible. This is vitally important if shared accounts are in use.

Leave a Reply