The development of a password policy appropriate to the specific production environment; into which said password policy will ultimately be deployed, must reflect the accessibility and security goals and initiatives of said production environment on an organization-wide basis. Therefore; all such password policies developed will need to be free of ambiguity. All components and aspects of the password policy must be precisely defined, detailed and thoroughly documented.
Password Policy Availability
Full compliance with the above recommendations is by no means enough. You must also ensure that your password policy is readily available to all users at a moment’s notice while the dissemination of the details concerning updates, administrative amendments, emerging threats and countermeasures (changing the current password) etc. must also be conveyed to all users as quickly as possible.
Password Policy Documentation
Your password policy documentation should detail all requirements pertaining to all aspects of passwords and password usage on an organization-wide basis. Consistency across the board is always one goal that a well designed and drafted password policy will address.
Some of the criteria that you will need to take into consideration and document when developing your password policy include current password policy assessment and evaluation, password complexity, monitoring and auditing of password related events, social engineering techniques, user education, default parameters, network reconfiguration, logon dialogue and other complimentary authentication mechanisms.
Current Password and Password Policy Status Assessment
When conducting the initial self-assessment of your or your organization’s current password policies it is imperative that you do so honestly.
Conducting an honest and expansive appraisal is the only way in which you will ever gain true and realistic insights into the degree to which you or your organization are at risk of being an easy target for those with malicious intentions. Thus the manner in which you conducted your assessment will need documenting in your password policy. It may be that some element in your password policy may contain as yet undisclosed flaws.
Note: I said document the procedure(s) and methodologies and not the contents or results of analysis of the data collected during the assessment (audit).
While it may be important for others to know how to go about conducting a password policy assessment regime using the same techniques you did in order to maintain uniformity and consistency of the password policy assessment regime in order for any comparative analysis of the data collected to have any truly valid relevance. This is especially important when using “before and after” assessment techniques.
However; it does not follow that they should be granted full access to the data collected or the conclusions drawn out of your analysis of the data collected during the password policy assessment phase. So keep the findings of your password security assessment to a need-to-know only basis. Remember that the purpose of a password security assessment regime is to identify areas of weakness so that you can put them right.
Password Parameters and Attributes
The more complex a password, the harder it is for an attacker to crack. Most attackers will simply move on to easier targets. Attributes that improve password strength include:
Ensure that all passwords are a minimum of eight characters in length
Mixed upper and lower case
Include at least one numeral and one non-alphanumeric character (symbol)
Dictionary words should not be used
Do not use elements that could be guessed or determined by means of social engineering such as names and dates associated with the intended password user (residential addresses, birth dates, family names, friends and pet’s names etc.)
Use passphrases rather than passwords
Regularly change authentication credentials including passwords and passphrases but at irregular intervals
Change all default authentication credentials at the earliest possible time including the default administrator account and password
Password retries and retry rate
Do not make physical copies of passwords and most of all do not leave authentication credentials lying around.
Encrypt electronic versions of authentication credentials
Disable the Anonymous and Guest account access privileges
Apply the above actions to all devices including your modems, switches, routers, workstations, servers, PDAs, firewalls, mobile devices etc.
Logging, Accounting and Auditing
With logging turned on you will be able to identify such events as attempted, successful and unsuccessful system and network logon attempts. Here you can glean considerable information that may very well point to the presence of an intruder or even attempts by an insider attempting to access system and network resources for which they do not have the necessary account privileges.
Your password policy will need to address the issue of ongoing user education. User education is critical in the development of a “security aware culture”. Keep in mind that breaches of user security are the most common means by which attackers gain authentication credentials including logon account names and password pairs.
Educated well-informed users are also far less likely to become victims of phishing and social engineering attacks and so enhance an organization’s overall resistance to these types of attacks.
Password Policy Compliance
It is essential that all users understand that compliance with the actions detailed in your password policy are not optional. Password policy compliance is mandatory. Many organizations develop their own “in-house” acceptable usage policy for most company property including computers. They also like their employees to sign-off as a means of accepting that the user will to the best of their efforts comply with the provisions set forth in the accepted use policy including adherence to the company’s Password Policy.