January 2002

Computer Systems Security in an Internet Age—Passwords

Passwords constitute the most basic form of security. Anyone can attempt to log in to a computer system and say he or she is a particular user, but presumably only that person knows his or her password.

Passwords also are one of the biggest areas of vulnerability to businesses. How many times have you walked by a computer and seen a user name and password written on a Post-it note sticking on a monitor or keyboard? How many of your coworkers’ passwords do you know? How many could you guess?

A security system imposes some level of intrusiveness or inconvenience to users; the tighter the security, the more the inconvenience. Current delays at airports nationwide and the additional time to check in for a flight are a trade-off between security and convenience that we gladly make. Computer security is not all that different. The key to an effective security policy and security system is to find a suitable medium where the policy is not so intrusive that it is ignored or unenforceable. Passwords are a good example of this. Some basic rules and policies can be applied to passwords that will enhance protection of the network, but your users need to take heed. Ponder this: 80 percent of network security breaches occur from inside the network.

If your users understand the importance of security, then you will be able to implement some of the suggestions listed below. However, if your users brush off security as an inconvenience and don’t buy into its value and importance to the business, then no level of pleading or policy-setting will make a difference. Users will ignore you, and policy will not be followed.

This ties in to your computer security policy—to be discussed in a future column—to be approved by your management, human resources department and legal counsel, and which needs to be reviewed with employees during orientation and training. Updates to the policy need to be communicated and made available (posting it on an Intranet is a great way to do this), and annual reminders and sign-off as part of the employee performance appraisal process are a best practice. Focus your attention on middle management, which can emphasize and convey the security message to their staffs.

Now, on to some of the things you can do to improve password security. First, remove all the Post-it notes and visible reminders. This is fundamental. Users need to take this step seriously. Second, set a minimum password length, and require or strongly encourage users to employ alphanumeric passwords. A password such as “help2you” is much harder to crack or guess than “helpme”; simply adding a number can significantly increase your security. Then, decide on a frequency for forcing password changes.

For some companies, every three months works well, but considering that this is an inconvenience you should put some thought into striking an appropriate balance. Finally, utilize “intruder lockout” functions so that three or more incorrect log-in attempts suspend the account. This will initially result in more help desk calls to reset accounts, but people will be forced to take security more seriously.

Unfortunately, it is a fact of life in the computer world that the more systems a user accesses, the more user IDs and passwords they have to remember. This was bad enough with internal systems for a typical mid-sized business, often with different IDs for the network, for e-mail, for databases and for software applications.

With the addition of the Internet we often have dozens of additional sites to remember and manage, each with their own log-on ID and password. Although web browsers typically have systems to store and remember passwords, this approach is not all that secure. A Single Sign-On solution is a viable alternative. Single Sign-On products allow users to sign on to either the network or to another central system, which stores and remembers all of their IDs and passwords and passes them to the program when the log-in screen comes up. Of course, the passwords must be encrypted so they remain secure, even from administrators.

One advantage to this approach is that because the password is centralized, it is no longer tied to a specific machine. Sign in to the central system and that system then manages your identity across the network and the Internet. Managing user identity from one central point is, in effect, the holy grail of network identity management. Examples of these types of solutions include Microsoft’s PassPort technology, which is part of its web services strategy and is used to access multiple Microsoft systems (and requires programming by each site/vendor to use it), and Novell’s SecureLogin program, which uses Novell’s directory as the repository for other systems’ password information and allows for one log-in to the network.

Next month’s column will focus on alternative forms of authentication besides password security, and how they strengthen security on a network.

Neil Rosenberg is president of Quality Technology Solutions, a network integrator in South Orange, N.J., that specializes in Internet security solutions. He holds technical certifications from Novell, Microsoft and others, and is a 17-year industry veteran. He can be reached at nrosenberg@QTSnet.com.

Editor’s Note: This is the fifth in a series of columns that focus on computer systems security issues and solutions. The intent behind the series is to examine considerations from a business perspective, identify options to improve security, and scrutinize best practices, all in a manner that is understandable to the layperson.