CompTIA A_ Certification All-In-One Exam Guide, Seventh Edition - Michael Meyers [265]
Passwords
Passwords are the ultimate key to protecting your computers. A user account with a valid password gets you into any system. Even if the user account only has limited permissions, you still have a security breach. Remember: for a hacker, just getting into the network is half the battle.
Protect your passwords. Never give out passwords over the phone. If a user forgets a password, an administrator should reset the password to a complex combination of letters and numbers, and then allow the user to change the password to something the user wants, according to the parameters set by the administrator.
Make your users choose good passwords. I once attended a security seminar, and the speaker had everyone stand up. She then began to ask questions about our passwords—if we responded yes to the question, we were to sit down. She began to ask questions such as
“Do you use the name of your spouse as a password?” and
“Do you use your pet’s name?”
By the time she had asked about 15 questions, only 6 people out of some 300 were still standing! The reality is that most of us choose passwords that are amazingly easy to hack. Make sure you use a strong password: at least eight characters in length, including letters, numbers, and punctuation symbols.
* * *
NOTE Using non-alphanumeric characters makes any password much more difficult to crack, for two reasons. First, adding non-alphanumeric characters forces the hacker to consider many more possible characters than just letters and numbers. Second, most password crackers use combinations of common words and numbers to try to hack a password.
Because non-alphanumeric characters don’t fit into common words or numbers, including a character such as an exclamation point defeats these common-word hacks. Not all serving systems allow you to use characters such as @, $, %, or \, however, so you need to experiment to see if a particular server will accept them.
Once you’ve forced your users to choose strong passwords, you should make them change passwords at regular intervals. Although this concept sounds good on paper, in the real world it is a hard policy to maintain. For starters, users tend to forget passwords when they change a lot. This can lead to an even bigger security problem because users start writing passwords down!
If your organization forces you to change passwords often, one way to remember the password is to use a numbering system. I worked at a company that required me to change my password at the beginning of each month, so I did something very simple. I took a root password—let’s say it was “m3y3rs5”—and simply added a number to the end representing the current month. So when June rolled around, for example, I would change my password to “m3y3rs56.” It worked pretty well!
* * *
NOTE Every secure organization sets up various security policies and procedures to ensure that security is maintained. Windows has various mechanisms to implement such things as requiring a strong password, for example. Chapter 26, “Securing Computers,” goes into detail about setting up Local Policies and Group Policy.
Windows XP and Windows Vista enable currently logged-on users to create a password reset disk they can use if they forget a password. This is very important to have. If an administrator resets the password by using User Accounts or Local Users and Groups, and you then log on with the new password, you will discover that you cannot access some items, including files you encrypted when logged on with the forgotten password. When you reset a password with a password reset disk, you can log on with the new password and still have access to previously encrypted files.
* * *
NOTE See the last section of this chapter, “Protecting Data with Encryption,” for the scoop on the ultimate in security.
Best of all, with the password reset disk, users have the power to fix their