Passwords are a fundamental element of any information technology security regimen. But with many to remember, it’s easy for users to get a little lazy. Good password hygiene is critical. THe following situations are a recipe for a security problem.
- Passwords written on sticky notes and left out for all to see. This, the most obvious breach, means passwords are available to anyone who walks by your (memory-challenged) user’s work space.
- Sharing passwords with co-workers. An employee may want to give someone else access their system when they go away. According to Charlee Moar of M-Tech Information Technology, nobody should be getting this kind of access to your system — except an administrator. “At our company, if there’s such a situation, we would ask the IT administrator to get a certain file off that person’s computer. We wouldn’t be able access all of his or her files,” she says.
- Using common, easy-to-guess passwords. Choosing your wife’s or husband’s name or birth date as your password may seem tricky, but even the most uncomplicated intruder will quickly crack this code. A good password should contain a mix of letters and numbers (the more random the better). Further, enforce a rule that every password must contain at least one capital letter.
- Not changing your password frequently enough. You should force users to set a new password every month, for example. “That’s something we’ve noticed with people that don’t have any type of password technology. They have the same password for a year that everyone knows, and then everyone has access to their information,”says Moar. As a result, a disgruntled, recently fired employee might then be able to access your systems from home, opening you up to major risk in the form of data manipulation or loss — even lost business. It just depends how disgruntled your ex-employee turns out to be.
- Support staff resetting passwords for unauthorized callers. If somebody calls in and reports a lost or forgotten password, an employee will often reset it, without insisting that the caller provide the proper credentials. “They just let out passwords to any Tom, Dick or Harry,” says Moar. “They think the call (or e-mail) is coming from an internal source, but that’s not the case.” Consider installing a system that will identify the questioner, such as a secure virtual kiosk that asks special security questions before allowing a reset, or a biometric voiceprint authentication system.
- Not having an audit trail for password resets. A staff member of yours may lock himself out of the system often, but if no log is kept of his calls you’ll never know it’s a problem. Can you be sure it’s him calling every time? Has he written the password down and lost it? With an audit trail, a simple (perhaps automated) check of the data will raise an immediate red flag. An authentication system is helpful in this situation, too: “Let’s say you’re stuck in Bolivia and you lock yourself out. You can call a 1-800 number, re-authenticate, and it gives you this temporary password which lets you into your computer. Then it lets you reset your own password at the secure kiosk account.”
Charlee Moar is marketing director at Calgary-based M-Tech Information Technology Inc., a provider of identity management solutions, including password management systems.
Contact the editor