Passwords

A password is a string of characters that should be different for each user and
highly protected. It is something that a subject knows and is the most widely
used authentication method in place today. The problem is that it is the most
insecure mechanism when compared to other authentication technologies, because users and administrators do not usually practice the necessary disciplines
required to provide a higher level of protection. Also, specialized utilities have
been developed to uncover passwords and compromise this type of authentication method.
The following is a list of best practices that should be implemented and enforced as part of a company-wide password policy:
•Passwords should have at least eight characters (alphanumeric and
symbols) and a combination of upper- and lowercase.
•Users should not be able to reuse the same passwords (password history).
•Systems should have a threshold (clipping level) configured that limits
the number of unsuccessful logon attempts.
•An accurate audit log should be maintained that includes information
about each logon attempt, which includes date, time, user ID, and
workstation.
•The password lifetime should be short but practical.
•Passwords should not be shared.
•Passwords should not be easily guessable nor should they be
dictionary words.
Passwords should never be stored in clear text; some type of encryption
scheme, as in a one-way hashing method, should be used to ensure that passwords are not easily read. Servers that store passwords should have limited
physical and logical access and should be highly protected.
Some companies choose to use password generators, which are software applications that create complex passwords for users instead of allowing them to
come up with their own. Although this sounds like a great approach, many
times the passwords that are created are too complex for the users to remember
and they are quickly written down on yellow sticky notes that are then stuck to the
monitor or secretly hidden underneath the keyboard. Writing down passwords
and making them publicly available defeats the whole purpose of passwords and
access control.