Skip to main content

Solutions to the password problem - Part 2

Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including SecurID, Smart Cards, smart USB keys and even mobile phone SMS texts.

Institute thorough end-user training on secure communications, including what can be discussed over the telephone, what can be discussed outside the building and what can be written in an e-mail. Try not to use e-mail notification or voicemails when away from the office - it sets up the replacement as a target. And most importantly, ensure everyone knows how to report an incident and to whom – most people do not.

Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all help desk staff, together with clear escalation procedures for everyone in the incident chain. Help desk staff should be encouraged to withhold support when a call does not feel right. In other words “just say no …..”

As a politician might say: “Training, training, training.” Train all employees - everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees as they start. Give extra security training to security guards, help desk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.

Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisations’ IT security defence. If your organisation is using a Windows network (and most are) and if you have upgraded to Windows 2000, XP or Server 2003, then you can use passphrases rather than passwords. A passphrase of 15 characters or more is easier to remember than a complex 8-character password, yet infinitely more secure. Compare “I would love to own a big red Ferrari” (29 characters and almost unbreakable) with “nUaY6zOs” (8 characters and impossible to memorise, yet easily broken with today’s password crackers!).

Finally, have a security assessment test performed and heed the recommendations. Test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.

This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.