396
A Practical Guide to Security Assessments
9. Does the user ID administration policy or procedure provide any guide-
lines about having strong passwords (e.g., minimum password length, use
of different types of characters)?
Guidance:
Passwords are a first line of defense in the overall information
security program. Having strong passwords can significantly enhance the
overall information security posture, but weak passwords can have a detri-
mental effect. Some commonly known best practices for strong passwords
can be used as standards for the organization. What is used really depends
on the company and its current practices for passwords — i.e., it might be too
much for them to go from very weak passwords (e.g., passwords such as an
individual’
s
name, the company name, or the word password) to very strong
passwords consisting of upper and lower case letters, numbers, and special
characters. When reviewing password strength, consider the following:
•Trying to make users have strong passwords is often a cultural battle,
which requires strong management support.
• If changes are made requiring stronger passwords, support calls to the
help desk will go up at least temporarily and possibly permanently.
• Enforcing strong passwords is much more feasible if the system auto-
matically enforces strong passwords.
Risk:
The risk associated with weak passwords is that they can be guessed
and then used to gain unauthorized access to IT resources. Commercial
tools as well as freeware, which is readily available on the Internet, can be
used to guess weak passwords in a matter of minutes.
Client Response:
10. Does the system have the ability to enforce password controls and if so,
is the company taking advantage of it. If not, why not? Some examples
of system-level enforcement include:
•Validation of password strength
•Passwords being forced to change at regular intervals
•Passwords not being recycled within a certain period of time
Guidance:
Good password management is almost impossible to enforce
manually. You can perform periodic audits to try to force users to have
strong passwords that are changed at regular intervals, but this method of
enforcement is very ineffective because it affects every user, which you
cannot check. The most effective way to enforce good password manage-
ment practices is to let the system enforce it. If these enforcement features
are available, they should be used; if they are not, there should be justifica-
tion. You may find cases where companies are reluctant to use these features
AU1706_book.fm Page 396 Wednesday, July 28, 2004 11:06 AM