Corporate Security - Strength of Passwords as Measurement criteria

Posted Saturday, November 27, 2010 10:24 AM by hwaldron

 Corporate Security - Strength of Passwords as Measurement criteria

Having tested password strength in the past, they can be a barometer of how well employees are following security guidelines and awareness programs.  It's also a measurement of technical controls as companies should have complex passwords as a requirement.

Corporate Security - Strength of Passwords as Measurement criteria
http://isc.sans.edu/diary.html?storyid=9997

QUOTE; The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right.

Most of us know that when we turn on password complexity in Windows it is no guarantee that the user will select a decent password. If the Password is an 8 character password that will pass complexity checking in Windows and not many of us would argue that it is a decent password.

Another element needs to be in place to get decent passwords, user awareness. When you analyse the passwords you can identify whether reasonable passwords are being used and hence determine whether user awareness training has worked, a refresher is needed or all is good. When cracking passwords you will also be able to determine patterns used by users, admin staff, service accounts, resource accounts, helpdesk etc.  All useful information in determining the security posture. 

Comments

No Comments