Continued from page 1
Rule 2: Use long passwords, including both upper and lower case, numerics and quotation marks. Now, there's a temptation to write down difficult passwords. If you do write them down, then disguise them. Hide them in a word search grid in your diary -
answer will jump out at you, but a thief will struggle to find password. Never keep them in a desk drawer or on monitor. A better idea is to use a utility called Password Safe, http://passwordsafe.sourceforge.net/. This keeps all your passwords safe, using very strong encryption.
Rule 3: Never write passwords down in an easy to read form. Rule 4: Never leave passwords near PC. There's another problem with passwords, they (and accounts that they are associated with) are often shared between several users. This may be done only on certain occasions, for example when a key employee takes vacation or is sick, or may be due to only one account being shared within a team. When an account is shared, there is no audit trail. This creates an opportunity for fraud. Each person should have an account, and only use their own account. For employees sick or on holiday, they should not be asked for their password, but their password should be reset by helpdesk, with new password given to appropriate manager. The helpdesk should become used to managers requesting password resets for their employees, however, they should always verify requestor, and log all events. When employee returns from vacation, they should get their password reset again.
Rule 5: Never share accounts or give out passwords. Password resets should be used There is also a danger when sharing a password on more than one system. It makes user's life easy if they only have to remember one password. Single-sign-on systems can be very useful in corporate environment, but users should NOT use their work passwords for any systems they use at home. Many web sites are poorly written, and passwords may be available via techniques such as SQL injection, or simply from fraud by operators. There are many ways in which a password can be learned. Once a password is known, a website operator might trace site activity back to your company, and might attempt to break in using password.
Rule 6: Never use a work password for leisure The last point I wish to make is when employees leave company. Every account that they have access to should have its password reset as soon as they leave building. The manager can take control of accounts if required, but passwords should be reset as soon as possible. This is vitally important if shared accounts are in use.
Rule 7: Reset accounts as soon as employees leave firm This concludes article on email and passwords. I hope that it help you to clarify what policy for your organization should be.
Alistair McDonald is author of SpamAssassin: A Pracitcal Guide to Configuration, Customization, and Integration. You can read more about Alistair's book here: http://www.packtpub.com/book/spamassassin
Alistair McDonald is a freelance IT consultant based in the UK. He has worked in IT for over 15 years and specializes in C++ and Perl development and IT infrastructure management. He is a strong advocate of open source, and has strong cross-platform skills. He prefers vim over vi, emacs over Xemacs or vim, and bash over ksh or csh. He is very much a family man and spends as much time as possible with his family enjoying life.
