Passwords, Policy and Protection
Recently, I wrote about the importance of securing portable devices like laptops and external hard drives, in which encryption can play a large role in protecting data if the device is lost or stolen.
The reality is that encryption is still not widely used. Passwords, long considered the first line of defense against stolen data, carry much of the load in countless businesses. When I worked for the local university, for example, I was required to change my network password every 60 days, and the new password couldn't be similar to the previous password, nor could I repeat passwords at any time. The idea, of course, was to decrease the risk of someone breaking into the system through my user name and password to avoid the wrong person gaining access to student and employee information.
But are passwords an effective means of security protection? Perhaps not. First of all, we've become lackadaisical about password use. As Eric Ogren wrote in a SearchSecurity.com blog, even if company policy requires business passwords to be changed frequently, employees who use work computers for personal use often keep user ID and password information stored for automatic logon, leaving the computer vulnerable to another organization's security program to safeguard information. Ogren added, "making matters even more difficult for IT is the changing nature of the threat landscape. Attackers are finding it more effective to harvest passwords from keystroke loggers, Trojans or phishing scams.”
There are all the long-standing bits of advice on passwords, such as those in this helpful password protection document on IT Business Edge's Knowledge Network: Don't use your kid's name or your phone number, change passwords frequently, don't write your password down and keep it near your computer. Ogren suggested the use of two-factor authorization as a method of more secure password protection.
At the very least, according to the Microsoft Malware Protection Center:
"You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator accounts), the passwords shouldn't be picked lightly.”