Network Security and Password Policies

By Robin L. Wakefield

E-mail Story
Print Story
Passwords are the most common authentication for accessing computer systems, files, data, and networks. But are they really secure? Most of us use them every day, change them frequently, and perhaps even see them posted in plain view on employee monitors.

The SANS Institute indicates that weak or nonexistent passwords are among the top 10 most critical computer vulnerabilities in homes and businesses. A compromised password is an opportunity for someone to explore files and accounts, and even obtain administrative privileges, undetected. Federal regulations (e.g., the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act) mandate the security of confidential client information. The rising threat of litigation is prompting organizations to seriously evaluate computer security measures. Creating impenetrable passwords is a reasonable measure to enhance system security.

Security experts at the SANS Institute predict major liability lawsuits for companies whose computer systems exhibit security lapses. Security breaches not only put firms at risk of litigation for failing to protect confidential information, they can also lead to financial losses.

Passwords are commonly used to gain access to websites storing confidential financial information. They often enable users to execute and authenticate commercial and financial transactions. A compromised company password may lead to fraud, illegal activities, unauthorized transactions, or public disclosure of private information.

The most common password vulnerabilities include user and administrative accounts with weak or nonexistent passwords and the lack of company policy to adequately protect passwords. Effective measures to reduce network vulnerability and increase security include the implementation of policies that outline important password habits, and proactive verification of password integrity.

Weak Passwords

One recent example illustrates how effortlessly major breaches can result with weak passwords. In November 2002, a journalist penetrated the e-mail account of Saddam Hussein in Iraq with only one guess at the password. Many networked organizations believe their security measures adequately protect their information. Computer programs to decode passwords are available and effective (see the Exhibit). Short passwords are ineffective against intruders bent on gaining access to a system.

Passwords must be memorized and frequently changed. This inconvenience leads employees to post passwords in plain view or have them written down in a nearby drawer. Access to confidential client or firm information may be as easy as rummaging through a desk.

To aid their memory, users often include part of a phone number, family name, Social Security number, or birth date in their passwords. Users may believe that personal information is unobtainable, but it is collected by various organizations and is often readily available through databases. Those looking to penetrate a system are well aware of how to access this stored data. In addition, users often recycle old passwords when creating new ones. These characteristics of weak passwords are potentially significant security threats.

Strong Passwords

As the Exhibit indicates, strong passwords are longer in length. Increasing the length of a password by just one character significantly increases the time and effort required to discover the exact combination of letters and numbers. A truly impenetrable password is not possible, but a strong password requires a lot of time and powerful computer systems to crack. Strong passwords integrate all of the following features:

  • At least eight characters in length
  • A combination of letters of mixed case, and numbers
  • Easily typed
  • Something known only to the user (i.e., not present in any database)
  • Not found in an English or foreign language dictionary
  • Never shared
  • Never written down.

Companies can adopt effective strategies for the creation of lengthy as well as memorable passwords. One such strategy could involve combining the first letter of the words in the title of the user’s favorite song with his anniversary date. For example, RDkFh0982 is a strong password and one highly unlikely to be found in any dictionary. It combines the letters in “Rain Drops Keep Falling on my Head” with a personally significant date, September 1982. Another strategy might be to combine the first letters in the name of the user’s alma mater with a memorable date or significant time. The key to an effective password is to combine creativity with memorability.

Password Policies

Employees should be informed of the vulnerability of computer systems and the potential risks to clients, the company, and their jobs should networks or files be penetrated. Policies that strengthen computer security incorporate a legal defense strategy and also demonstrate responsibility toward clients. Effective policies include password administration and control guidelines, as well as password creation procedures.

Because computer security threats are internal as well as external, information security policies should answer the following questions:

  • Access to information:
  • Who has access to particular databases, files, or networks?
  • Who can perform e-commerce activities for the company?
  • Who can access client records?
  • Who can access company records?
  • How is access determined?
  • How is access managed (e.g., passwords, physical location, separation of duties)?
  • Passwords:
    • Who has access to passwords?
    • Which files, databases, or networks require passwords?
    • Are passwords protected?
    • Are passwords the required length?
    • How often are passwords changed?
    • Are passwords recycled?
    • Are denials due to an inaccurate password monitored?
  • Reporting security incidents:
    • What constitutes a security incident?
    • How are security incidents documented?
    • Who is informed?
    • What specific remedies are available?
  • Periodic review of security policies and procedures:
    • Who performs the review, and how often?
    • How comprehensive is the review?
    • Who evaluates the review, and how is it documented?

Robin L. Wakefield, PhD, CPA, is an assistant professor in MIS at Baylor University.





















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices