Passwords and Physical Security: Passwords are perhaps one of the best primary lines of defense for an environment. Although not commonly thought of as a protective measure for physical intrusions, they do indeed fulfill this purpose.
However, the downside is that unless passwords are carefully and thoughtfully implemented they tend to be somewhat weak, offering protection against only the casual intruder.
Organizations have learned, as you saw in our system hacking exploration, that passwords can be easily circumvented and must be managed in order to avoid problems.
Working with Passwords
Experience has shown that users of systems tend to do the following:
- Ninety percent of respondents reported having passwords that were dictionary words or proper names.
- Forty-seven percent used their own name, the name of a spouse, or a pet’s name as their passwords.
- Only 9 percent actually remembered to use cryptographically strong passwords.
Companies and organizations of all types have had to enforce strong passwords policies and management guidelines in order to thwart some of the more common and dangerous attacks.
As you saw earlier in this book, passwords should always be complex and well managed; components of a good password include the following:
- Allow no personal information in passwords.
- Avoid passwords that are less than 8 characters. The standard nowadays is moving toward 12 characters and longer.
- Require regular password change intervals—for example, every 90 days a password will be changed.
- Enforce complex passwords that include upper- and lowercase letters as well as numbers and the characters.
- Limit logon attempts to a specific number before an account is locked.
NOTE: Something is increasingly observed in the real world is the replacing or supplementing of traditional passwords with additional security measures, including tokens and smart cards.
The idea is the addition of these devices to existing password system will markedly improve the security of systems and environment overall.
The problem is such an approach carrier a largest cost up front in term of upgrades to infrastructure and equipment.
However, do expect these devices and systems to become more commonplace.