The Password Is: Useless (Probably)
A secure password is the first line of defense, but too often they're as easy to crack as your knuckles.
Computerworld - What good is a firewall when you can crack more than 50% of the passwords on the network?
It was just a fluke that we ran a password audit last week on our own domain and that of a subsidiary with which we have a full two-way trust relationship. I was disheartened after looking at the results of the report. I called the security team together and said, "We might as well go home. There's absolutely no point in banging our heads against the wall any longer."
Why was this password audit a fluke rather than a regular security measure? The fact is that we have so many things on our task lists that sometimes the most obvious part of security is overlooked. We suffer from a lack of staff, lack of tools, lack of time, lack of security awareness and lack of security policy enforcement. And being new to the company, I made a fundamental error in assuming that the stated password policy, which had been signed off on by executives and posted on the company intranet, was actually being enforced by IT across our domain and those of our subsidiaries. In a way, my awareness of the importance of secure passwords made me blind to the problem: Since I care about my password being cracked, I chose a secure one, and so I didn't stop to test the password policy.
We're back to square one. Without a properly enforced password policy, who cares if the firewall is logging properly, the SQL Server password is blank or our patches are up to date? Passwords are the first line of defense.
In a Windows network, the password policy is set at the domain level, and in our environment, that's managed by Active Directory. Our current password policy includes these provisions:
- Ten passwords are remembered, which means you can't reuse a password until you've chosen your 11th.
- Passwords expire after a maximum of 45 days.
- The password must meet "complexity requirements": They can't contain all or part of the user's account name, they must be at least eight characters long, and the characters must be chosen from three of four categories -- English uppercase characters, English lowercase characters, base-10 digits and nonalphabetic characters such as !, $ or #.
All this sounds good, but the policy isn't strict enough, and it allows for passwords like Password1 and Password2. Is anyone surprised that we found these types of passwords on the network?
When I got the list of users whose passwords had been easily cracked,


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Driving Secure Enterprise File Sharing and Syncing in the Enterprise
- GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
- The Enterprise File Sharing Option
- Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
- Security Strategies to Virtualizing Internet-Facing Applications
- The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
- Cloud Security Planning Guide
- Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
- Cloud Security Vendor Round Table
- This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions... All Security White Papers
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?
- FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
- BlackBerry PlayBook OS 2.0 Security Overview
- The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
- BlackBerry NFC Security Overview
- The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts