One of the first areas of policy that gets considered from both a technical and administrative point of view is the type of authentication mechanisms to be put in place in an organization. From the policy perspective, one would want to ensure that the IS/IT departments have sufficient support to ensure that they can enforce strong authentication. This raises the question of how strong should passwords be, and what types of policies should exist other than password strength.
First, one should consider the users. It is not reasonable to expect a user to remember a 20-character complex passphrase with letters, numbers, symbols and control characters. Users will also be inclined to write down their passwords in easy to find places such as below their keyboards or on post-it notes on their monitors.
Next, one must consider from a technological perspective, how difficult it is to brute-force or crack a password given sufficient information about it (such as a hash of the password). There are many different opinions on this matter, but most technologists will agree that the minimum safe password is eight characters, with a mixture of case, numbers and symbols. A password of 12 or 16 characters would be better, but again one must consider the users.
This leads us to policy #1:
Passwords must be a minimum of eight characters, and must contain at least one uppercase character, one lowercase character, one number and one symbol.
Now that we
A password must not be written or stored in a location (physical or logical) in which personnel other than the password owner have access.
Changing a password regularly is also a very important issue. If people were to keep the same password forever, then in the case where someone's password was compromised, it would remain forever compromised. The life of a password is a cause for a lot of arguments in IS/IT environments. Users want to wait as long as they can before changing a password, as remembering something new can be difficult. Administrators would like new passwords to be issued or generated on a weekly basis, as that decreases the possibility that someone who has acquired a password could make use of it for any duration of time. One of the more common durations for passwords is in the following sample policy:
All user passwords must be changed every 45 days. New passwords may not be the same as any previously used password.
The last consideration in this week's tip is whether or not a password is enough to protect very sensitive or critical resources. In the area of authentication, mechanisms can be divided into three areas:
- Something you know, which would be a password or pin number.
- Something you have, such as a smart card or token.
- Something you are, such as biometric thumbprints, iris scans or voice signatures.
Multiple authentication mechanisms (often called multifactor authentication) are a lot stronger than single factor authentication. In order to bypass or break into a multifactor authenticated system, an attacker would have to both compromise a password, as well as physically steal a smart card or token, and/or obtain someone's genetic material. A policy to support this could be the following:
All systems containing information that is classified as sensitive, and systems that are critical to business continuity must utilize strong multifactor authentication systems.
The authentication section of a security policy should contain a lot more details about how passwords are stored and managed, how authentication systems should function and be audited, how logs should be stored and many other factors. The four basic policies mentioned above are a good start, but you still have a long way to go before you have a complete policy.
About the author
Jeffrey Posluns is the founder of SecuritySage, a leading-edge information security and privacy consulting firm. Prior to SecuritySage, Jeffrey founded and co-founded several e-commerce and security initiatives, where he served as President and/or Chief Technology Officer. He is looked to as an authority to speak on information security and privacy related issues and trends at conferences, in law enforcement forums and in the media. He is a regular speaker at industry conferences organized by such groups as the Information Systems Audit and Control Association (ISACA) and the Association of Certified Fraud Examiners (ACFE). Jeffrey is also a trainer for the Certified Information Systems Security Professional (CISSP) certification course.
This was first published in November 2002