BaysideNetworks risk management code: PWD - passwords
A client called me today, concerned about the privacy of an important email that had been sent to a few of their users. Our client was suspicious that an employee that should not have seen this private message had specific knowledge of it.
He asked me, “How could someone’s private email be read by another user on our system?� My first thought was, how does this client manage their user passwords? Do they leave their user workstations logged in at night, possibly with their email client software left open?
Like many (probably most) small businesses, this client has a casual password policy. Their network login passwords are very simple and many of the users actually have the same email hosting password.
I never figured out how or even if this client’s private email was compromised. The client was just left with a frustrating suspicion that their data had been inappropriately accessed.
What surprised me was the client’s genuine expectation that somehow the privacy of their information was protected even with such limited and ineffective use of passwords in their office. Usually there is nothing more than a password between your data and the people that should not have access to it.
Is poor password management a weak link in your office’s data security?
There are some very simple things you can do to improve your firm’s use of passwords. Many of the steps you can take are quick and don’t cost anything as they use features that are built into just about all modern computer operating systems.
* Ask yourself a few questions about your system. You will quickly see whether your office uses passwords effectively:
- Are some user passwords (especially the root or administrator account) known by more users than is really necessary? Do prior employees or vendors know your admin passwords or any password that is able to access your systems remotely?
Anyone with the root level password on your system can look at and / or modify anything on the entire system – email, data on local workstations – you name it. - Are your users automatically prompted to change passwords periodically? Have specific users been excluded from the automatic password change policy if the policy exists? You should be prompted to change your system login passwords at least once every 60 days - not a good sign if you can’t remember the last time this occurred on your system.
We often encounter systems where many users are setup with passwords that “never expire.� Over a period of time user passwords will often get “passed around.� Sometimes a user is out of the office and he calls in and asks someone to “check something� on his or her system. Once users share their passwords and the passwords are not changed regularly, security obviously suffers. - Are users permitted to select unreasonably simple or repetitive passwords? At a minimum, passwords should be at least six characters in length and they should include a case variation or a number somewhere in the password. Most systems have a simple policy setting screen where a good password policy can be enabled.
This article about passwords is interesting – what does it tell you about passwords that users will choose on their own in the absence of any automatic policy that requires decent passwords? - Does your office’s data system require more than one password per user within your office? Many offices have separate “initial login� and “email� passwords. If your system requires users to remember and use multiple passwords there is a very good chance that your office has password policy issues / problems.
This sort of issue is especially prevalent if your email is hosted on an outside system, where separate passwords are used that are not integrated with your internal systems. - Do users often leave their workstations logged in (without screen-saver password protection) when they are away for short periods, or even overnight? If you use a Microsoft based system you can and should enable a simple system wide group policy that will enable screen-saver password protection on all of your systems.
Please think about the implications if you answered yes to any of these questions. Often the real concern comes when an office is dealing with a disgruntled employee or even an employee that may be on the way toward being disgruntled.
- Chris Gruenwald, Principal Consultant
- BaysideNetwork.com, Inc.
- chris@baysidenetworks.com
* Risk management for your computer network. Part of an ongoing series of articles from BaysideNetworks.com, Inc.