Security and Password Policies
Robin L. Wakefield
are the most common authentication for accessing computer
systems, files, data, and networks. But are they really secure?
Most of us use them every day, change them frequently, and
perhaps even see them posted in plain view on employee monitors.
SANS Institute indicates that weak or nonexistent passwords
are among the top 10 most critical computer vulnerabilities
in homes and businesses. A compromised password is an opportunity
for someone to explore files and accounts, and even obtain
administrative privileges, undetected. Federal regulations
(e.g., the Gramm-Leach-Bliley Act and the Health Insurance
Portability and Accountability Act) mandate the security
of confidential client information. The rising threat of
litigation is prompting organizations to seriously evaluate
computer security measures. Creating impenetrable passwords
is a reasonable measure to enhance system security.
experts at the SANS Institute predict major liability lawsuits
for companies whose computer systems exhibit security lapses.
Security breaches not only put firms at risk of litigation
for failing to protect confidential information, they can
also lead to financial losses.
are commonly used to gain access to websites storing confidential
financial information. They often enable users to execute
and authenticate commercial and financial transactions.
A compromised company password may lead to fraud, illegal
activities, unauthorized transactions, or public disclosure
of private information.
most common password vulnerabilities include user and administrative
accounts with weak or nonexistent passwords and the lack
of company policy to adequately protect passwords. Effective
measures to reduce network vulnerability and increase security
include the implementation of policies that outline important
password habits, and proactive verification of password
recent example illustrates how effortlessly major breaches
can result with weak passwords. In November 2002, a journalist
penetrated the e-mail account of Saddam Hussein in Iraq
with only one guess at the password. Many networked organizations
believe their security measures adequately protect their
information. Computer programs to decode passwords are available
and effective (see the Exhibit).
Short passwords are ineffective against intruders bent on
gaining access to a system.
must be memorized and frequently changed. This inconvenience
leads employees to post passwords in plain view or have
them written down in a nearby drawer. Access to confidential
client or firm information may be as easy as rummaging through
aid their memory, users often include part of a phone number,
family name, Social Security number, or birth date in their
passwords. Users may believe that personal information is
unobtainable, but it is collected by various organizations
and is often readily available through databases. Those
looking to penetrate a system are well aware of how to access
this stored data. In addition, users often recycle old passwords
when creating new ones. These characteristics of weak passwords
are potentially significant security threats.
the Exhibit indicates, strong passwords are longer in length.
Increasing the length of a password by just one character
significantly increases the time and effort required to
discover the exact combination of letters and numbers. A
truly impenetrable password is not possible, but a strong
password requires a lot of time and powerful computer systems
to crack. Strong passwords integrate all of the following
At least eight characters in length
A combination of letters of mixed case, and numbers
Something known only to the user (i.e., not present in
Not found in an English or foreign language dictionary
Never written down.
can adopt effective strategies for the creation of lengthy
as well as memorable passwords. One such strategy could
involve combining the first letter of the words in the title
of the user’s favorite song with his anniversary date.
For example, RDkFh0982 is a strong password and one highly
unlikely to be found in any dictionary. It combines the
letters in “Rain Drops Keep Falling on my Head”
with a personally significant date, September 1982. Another
strategy might be to combine the first letters in the name
of the user’s alma mater with a memorable date or
significant time. The key to an effective password is to
combine creativity with memorability.
should be informed of the vulnerability of computer systems
and the potential risks to clients, the company, and their
jobs should networks or files be penetrated. Policies that
strengthen computer security incorporate a legal defense
strategy and also demonstrate responsibility toward clients.
Effective policies include password administration and control
guidelines, as well as password creation procedures.
computer security threats are internal as well as external,
information security policies should answer the following
Access to information:
Who has access to particular databases, files, or networks?
Who can perform e-commerce activities for the company?
Who can access client records?
Who can access company records?
How is access determined?
How is access managed (e.g., passwords, physical location,
separation of duties)?
Who has access to passwords?
files, databases, or networks require passwords?
Are passwords protected?
Are passwords the required length?
How often are passwords changed?
Are passwords recycled?
denials due to an inaccurate password monitored?
Reporting security incidents:
What constitutes a security incident?
How are security incidents documented?
Who is informed?
What specific remedies are available?
Periodic review of security policies and procedures:
Who performs the review, and how often?
How comprehensive is the review?
Who evaluates the review, and how is it documented?
L. Wakefield, PhD, CPA, is an assistant professor
in MIS at Baylor University.