Infosec 2009: Common mistakes in password policies

By using passwords alone, it is still possible to achieve an acceptable level of security if an appropriate password policy is in place…

Choosing a good security policy is always working out a tradeoff between price, security and convenience, picking any two of the three parameters. Passwords are often the cheapest method of authenticating users as compared to smartcards or biometric solutions. By using passwords alone, it is still possible to achieve an acceptable level of security if an appropriate password policy is in place, writes Olga Koksharova, marketing director at Elcomsoft.

Assigning employees long, random-character passwords every few weeks is as bad for security as allowing them to choose passwords freely without due audit. Passwords too long and too difficult to remember end up on infamous yellow stickers, doing more harm than good to overall corporate security. This article discusses the various aspects of corporate password policies, and discovers common mistakes in corporate security.

No password policy

This 'policy' is the largest mistake a corporation can make in security. Typically, the 'no security policy' approach implies that other security measures such as security cameras, surveillance systems, locks and security guards are sufficient to protect corporate secrets. However, in reality information is only as secure as the weakest link in the security system.

In practice, this simply means that the real information security is unknown, and information is anything but secure. At the same time, employees occupied in security and security equipment come at an additional cost, giving a false sense of security without providing any real security.

Poor password policy

Allowing employees choose their own passwords without the rules and without due audit most often results in weak, easy to guess passwords being selected. In cases of poor password policies, just one or two passwords tend to protect all documents and network resources in the entire organization. Even if passwords are set to expire, employees just switch between a couple of passwords.

The easy-to-remember approach results in passwords being common words, telephone numbers, dates of births, pet names, and alike. Such passwords are easy to break with a simple dictionary attack. As security is only as strong as its weakest link, a single password is enough for an attacker to compromise the entire network by allowing the attacker to work from the inside and opening endless possibilities for social engineering.

Overall, poor password policies provide no better security than no password policy.

Too strict password policy

Assigning or requiring employees to set cryptographically strong passwords that are long, complex and consist of a random mix of alphanumeric characters and symbols as well as setting too early password expiration times has its own downsides. Password policies that are too strict result in passwords being written on the infamous yellow stickers that are stored on the desk, under the keyboard, in notebooks, or even placed on top of displays.

Needless to say, this kind of 'security' can be easily compromised. Outlawing the stickers results in a great deal of calls to the company's helpdesk, which, according to surveys, can cost $25-30 per call. Either way, too strict a policy can be both counterproductive and expensive to maintain, or easily compromised.

Inadequate password policy

Using strong passwords for weak encryption gives company's officials a false sense of security. Many commercial products on the market feature merely nominal protection that can be removed instantly.

While providing nothing more than a false sense of security, the use of such products can be dangerous as the passwords used to protect documents are easily exposed to an attacker, and can be attempted by the attacker on other resources such as documents with stronger protection and network resources.

Even Windows is insecure in this respect. Featuring two authentication methods, LM and NTLM, systems using the older LM authentication are vulnerable to attacks if passwords are shorter than 14 characters, which is the majority of all system passwords. As a result, enforcing strong passwords is not enough to create a secure environment.

A complex approach is always required to secure important information.

Weak link

Different products have different levels of protection. Older authentication methods, cryptographically weak encryption or merely symbolic protection is used in the majority of products with very few exceptions.

Even modern versions of Microsoft Office fall back to using weak encryption when saving documents in legacy formats for the sake of compatibility with earlier versions of the product.

Even the strongest passwords protecting documents and resources encrypted with weak algorithms are useless and can be removed instantly or in a matter of minutes.

If the same password is used to protect resources with both strong and weak protection, it is easy for an attacker to obtain full control over all protected resources. The entire system is only as secure as its weakest link; therefore, performing regular security audits is crucial to ensure security.

No security auditing and outdated security imperatives

Penetration testing helps timely detect vulnerabilities in corporate password security. Even if an adequate password policy is in place, and there are no insecure products used in the company, the exact level of information security remains unknown until fully audited.

Various changes in the company, employees who quit their job a long time ago, changes in security policies and leftovers of documents stored in insecure formats are just a few examples of possible vulnerabilities that an attacker can take advantage of. Algorithms and methods of encryption can be compromised in time; as an example, DES, once a US government security standard, is not considered secure for a long time now.

Periodic audits of the corporate network are required to ensure corporate security.


A good password policy is only one requirement to making a good corporate security policy. Being aware of how secure passwords, applications and methods used to protect documents and various system resources really are is a must for building an appropriate security policy.

Regular security audits are required to ensure network security. ElcomSoft manufactures various tools to help IT administrators and security officers test security of corporate networks, and locate various vulnerabilities and potential issues with their security.

ElcomSoft is exhibiting at Infosecurity Europe 2009 on 28-30 April 2009 at Earls Court, London.

Read more articles from Infosec 2009 >>

Read more on IT risk management