In an effort to help busy security managers, CISSP Shelley Bard's weekly column builds upon the concept of the perpetual calendar, offering a schedule of reminders for a proactive, strategic security plan. Also visit our archive
of previous columns.
Regular audits to make sure passwords comply with security policy.
Typically once every quarter or six months, depending on your level of CIA2.
Why are eight-character passwords recommended? Using a very fast machine, passwords six characters or less can be matched in less than two days. Seven-character passwords can be matched in four months. By the time an eight-character password could be cracked, you should have changed the password to a new eight-letter string, thereby protecting your account.
For changing users' passwords, use your operating system's configurable notification countdown schedule to inform users that their password will expire in XX days. Force the use of mixed case alphanumeric passwords. Suggest strategies, such as using uncommon phrases and creative use of number-letter substitution so they don't write them down.
Change all of the administrative passwords regularly, as well as every time an admin leaves, not only for the primary systems, but for the back-ups as well. Don't forget about your hot/warm/cold site backup. Record passwords in a secure location. Use the following password worksheet to help account for your admin passwords.
Changing device passwords is another issue. What if you have 500 routers in your architecture? Then you should also have an administrative tool to push out configurations and passwords. The time and effort you save over doing it manually will be more than worth the expense. A relatively small footprint of exposure means you can consider changing these passwords only once a year during a time of decreased system traffic to minimize any issues resulting from a rollover.
In any case, make sure all accounts have a strong password -- no nulls, defaults or guest accounts -- and that the password-check mechanism is protected.
Finally, there's system password handling. Passwords are passed by the system through a variety of means – clear text, automatic updates, hard-coded or encrypted/hidden in machine code. You need to know which do what on your system and secure them accordingly. Do you have any default passwords shipped with your system? Change those as well.
Query the Internet for such terms as "password selection strategies" and "choosing a good password." Consider running a password cracker routine against the password files to gauge the success of your users' selection strategies. Good ones include LC4 and John The Ripper.
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in December 2003