|
Passwords
too short
Passwords should be a minimum of 8
characters and include non-alpha characters (letters
besides A-Z). A long password is more difficult to guess
or crack. In general terms, a short password can be
cracked almost instantaneously, while a longer password
could take several thousand years.
Passwords
not being changed
Users should never be allowed to keep
the same password for an extended period
of time. In the event that a malicious
user or intruder does find someone's password,
it will become worthless if the users
are changing their passwords regularly.
Passwords
not Unique
Some users have figured out that
they can rotate back and forth between two different
passwords each time they are required to make a change.
This is almost as bad as not changing the passwords at
all. It's important to implement a policy that forces and requires unique passwords that are actually unique.
Passwords and Sticky Notes
Under no circumstances whatsoever should an employee write their user ID and password on a sticky note and tack it to the monitor. Don't make it so easy for a bystander, the janitor, or a malicious coworker to gain unauthorized access. All employees should be instructed to keep their User ID's and passwords private.
Administrator Passwords
Password guidelines for administrators should be even more strict than regular users. Longer, more complex, and changed regularly. Furthermore, use a variety of passwords for different things. For example, if you have an "Admin" account, make the password different than the remote console password and SNMP community strings. |
