ID and password authentication: Keeping data safe with management and policies

Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements.

User ID and password systems are among the oldest forms of digital authentication. These types of authentication systems, which simply prompt a user to enter his or her ID and password to gain system access, are easy to implement and use, but they also carry some huge security risks.

One of the biggest problems with passwords is that they can be shared, guessed or misused. Organizations should educate users on how to properly handle their passwords. Among the most important password guidelines for users is that passwords should never been written down. Often employees will jot down their passwords in an effort to help them remember their many sets of credentials. One way to eliminate this problem is to nix the use of multiple passwords. If users can have one ID and password for corporate systems -- typically referred to as enterprise single sign-on (SSO) -- the likelihood of them needing to jot anything down is greatly decreased.

Organizations should also set policies for users on how to choose a secure password. A user password should be completely unrelated to one's user ID. The password should also be a minimum of eight characters in length and contain both letters and numbers, and both uppercase and lowercase characters. If an enterprise runs Microsoft-based systems, one easy way to ensure that password policies are met is to enable the "password must meet complexity requirements" security setting in Windows Server. This setting will require that a user's password meets specific guidelines, and if it doesn't, the user will receive an error message forcing the recreation of the password to meet the specified security terms before access to enterprise systems is enabled.

It is common for attackers to try to gain access to systems through "brute force" by guessing common user IDs and passwords. Most organizations use the first letter of an employee's first name followed by his or her last name for IDs, which makes it extremely simple for a hacker to obtain user IDs of the entire organization; all he or she needs to do is get a list of employees. In order to eliminate the likelihood of hackers gaining access, users should stay away from passwords that can be easily guessed or discovered, such as names of loved ones and pets or birthday dates.

Corporations should also require employees to change their passwords regularly, approximately every 60-90 days. The shelf life of passwords that allow access to extremely sensitive data should be even shorter. Users should not be able to reuse any of their old passwords, and be sure that all passwords are completely contrasting to user IDs.

Complying with these password best practices with not only help to improve corporate security, but will also help organizations comply with the access control mandates of several compliance requirements, such as HIPAA, the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS).

Password hacking
There are several password-hacking programs and tools, also know as password crackers, available for organizations to perform a risk assessment of their current password systems. This method of hacking your own system helps organizations to recognize serious security risks and weed out insecure passwords before malicious attackers do. It can also help to thwart potential legal trouble by handling compliance issues before they are discovered by an auditor or a hacker compromises consumer information. Some popular password-hacking tools include John the Ripper and Microsoft Baseline Security Analyzer (MBSA).

Those who do decide to use ethical hacking must first obtain permission from end users, whose passwords you will be uncovering, and corporate management. After running the software and obtaining the results, the corporation can determine the risk level presented by its current password system. This will help management to evaluate whether a new form of authentication needs to be implemented, or if employees simply need training on how to properly use and create passwords.


  What is authentication?
  ID and password authentication
  Biometric authentication devices, systems and implementation
  Enterprise single sign-on: Easing the authentication process
  PKI and digital certificate authentication and implementation
  Security token and smart card authentication

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing