Effective Password Creation and Compliance
Essay by RDickens • March 16, 2012 • Research Paper • 2,238 Words (9 Pages) • 1,566 Views
Effective Password Creation and Compliance
Randy W. Dickens
American Military University
ISSC481 IT Security Planning & Policy
Effective Password Creation and Compliance
A big challenge in the world of information technology and information security are password creation policies, and user compliance with these policies. Organizations need to make sure employees and contractors that use their systems understand why passwords are important. An important topic to all information security programs is the CIA triad, which helps in the protection of data and information. Another way to help users understand the importance of passwords is to show them why passwords are needed. Many people do not understand why their security team puts into place such strict password policies (i.e. long passwords, passwords with capital, lowercase, and special characters). This lack of understanding leads to users not following password policies.
In order to sufficiently protect the organization's data and information, a policy that makes users create proper and strong passwords is a definite benefit. The information security team will need to show users why short passwords are detrimental to the security of the organizations information systems and networks. For best protection, the use of long and complicated passwords to guess are in the best interest of the user and the organization. Since long passwords are hard for users to remember, the security team should show them how the users the benefit of using pass phrases to remember their passwords. It is also beneficial for the information security team to show users how easy it is for a hacker to crack passwords using password crackers.
Every organization should have a policy relating to the creation of passwords. It is important for this policy to be effective and easy for the user to understand and follow. A password policy should set standards for users to follow. An effective password policy should also give the users guidelines to follow. Not every user is in the habit of creating effective passwords, and some may not know how. The policy writer should include procedures that are easy for users to create their passwords. Lastly, the policy needs to be easy for the audience to understand and follow, so they understand the importance for effective passwords.
Why Passwords are Important
Every organization needs to protect their computers, networks, and information. One of the best ways for them to do this is through the use of passwords. One topic every information security team should know and understand is the CIA triad. The goal of every IS department is to protect the data and information they store and process, and the CIA triad can definitely help. So what is the CIA triad? It is an acronym for confidentiality, integrity, and availability. Confidentiality simply means to keep the organizations information from being accessed or disclosed by unauthorized systems or people. Integrity means to keep the information from unauthorized modification, either intentionally or accidentally. Availability is making sure that the information or data stored or processed on the systems are available for authorized users to access (Greene, 2006). Passwords are very important part of the CIA triad. Passwords help the organization to keep their information confidential. Passwords keep unauthorized users and systems from accessing the information stored and processed on the organization's systems. Passwords are also key in maintaining the organization's information. Passwords can be used to lock sensitive files, drives and even servers. Only authorized users with a proper password could access the information, so the information in these locations should not be modified unless a password has been discovered or disclosed.
So why are passwords needed. Throughout time secret codes have been used to allow access to things and locations, to the people that have the secret code (Poulsen, Sandler, Whalen, Tillet, 2008). As stated before, organizations need to make sure the information they store and process, either for themselves or a customer remains confidential, accurate and secure. Of course an organization cannot just let anyone access their systems, they need a way to allow authorized users to access information, while keeping unauthorized systems and users from accessing their information systems. The reason we use passwords is to protect access to secure sites and information (Greene, 2006). Passwords also let the organization know who has accessed the system, since users are the only ones that know their passwords. It is important to monitor user access. According to Greene (2006) there are four reasons for monitoring: authorized access, privileged operations, unauthorized attempts, ans system alert failures. If an organization does not use passwords to protect information and systems, monitoring would not allow them to know when an unauthorized system or user accessed the information system.
Most organizations have some pretty strict password policies. Organizations make their password policies strict for the best protection of their systems. These policies can be annoying and inconvenient to users. This is done through monitoring, which is an important aspect of information security (Greene, 2006).
Passwords can be very frustrating for a lot of users. A lot of users have a hard time following password policies. One reason for this is because some policies require passwords to be long, eight characters or more. Some password policies may even require the user to use non-ASCI special characters (i.e. $, %, &). Plus, every policy should prohibit the user from writing down their password, since this could lead to someone finding it and compromising the information system. Organizations need to find a way to make their password policies strong and effective, while not making it too difficult on the user to understand and follow the policy. Sharma (2011) states that there needs to be a balance for employees and customers between the organizations security measures and a positive user experience.
Password Creation
Organizations need to make their employees aware of proper and effective password creation. One of the worst things a user can do when creating their password is to make it too short. The only real benefits to a short password are the ability to type it faster and it is easier to remember. It is important for users know that short passwords are detrimental to the security of networks, systems and information. There are many tools hackers have at their disposal to quickly
...
...