Password Policies

[chvchk]

I'm not sure if this is the right place to post this. I apologize if it's not.

I'm the sole IT person at my company and am in charge of all systems, servers, software support, configurations, phones, etc.
There has never been a password policy in place. In fact, the box marked "change password at next logon" isn't checked when a new user account is added to the domain, so many passwords in the company are the original password given when they were first setup. Passwords are shared, rarely, if ever changed, easy to guess, etc, etc. This has bothered me since I arrived in this position a little more than a year ago but received resistance when I mentioned my concern so I haven't made any changes.

I've proposed a password policy that required users to change their passwords every 4 months, requires at least 8 characters and is med - strong. However, all of management is balking at it saying they don't want to change passwords, they need to be able to share them with other people in their department for access when they're out of the office, etc. So the owner of the company said No..we're not going to implement a password policy.

I'm going to meet with him today and ask him to reconsider. I'm willing to loosen the policy somewhat, but I'm very determined that a policy should be in place.

What's the best way to convince them of this?

Their mentality is to wait until there is a problem then act. I told them that if I wait until there is a problem, then I'm not doing my job.
If it helps, we're a manufacturing company with just under 100 employees, 45 of which have computer accounts.

 

[eyec]

we're a manufacturing company

isn't the owner concerned about trade secrets, contract financial information, employee personnel records, and some other typically protected business information?

sharing passwords is never a good idea - even when someone is out of the office. the use of shared folders and delegates for email would be a more secure way of doing things without disrupting day to day business.

 

[chvchk]

I'm having a hard time understanding their point of view. I've addressed the issue of e-mails while they're out of the office and created an importable rule to forward e-mails and send an auto reply while they're out.
I'm meeting with the managers on Monday to address their concerns as this was brought up in a management meeting yesterday by my manager who has no technical knowledge of IT or security so his explanation obviously scared some people.

 

[michigan]

Hi chvchk -

One of the most challenging tasks . . . obtaining upper management support! One of the best places to start for new policy review is the SANS Institute. They have some great templates for your review and perhaps you would be able to present these as building blocks to your management team. You can tweak them to your company's needs.

Visit Here:

http://www.sans.org/resources/policies/

About half-way down the page you'll see everything from password policies, acceptable use policies, email policies, etc.... Maybe one or a combination of some would help you out.

As far as the mentality of your owner/management team -- sadly enough, when there is a "password problem" it's usually too late. Your system/network has already been compromised. Getting buy-in and top-down support from your owner/senior management is crucial for an effective security use policy. Many times this means providing training & education to your end users. That's what I had to do. I created a complete SETA (Security Education, Training and Awareness) course and offered it to all staff. Especially with the various spyware/trojans/worms/keyloggers/virus/etc... strong passwords are more important today then ever.

Lastly, if they are truly dead-set against changing anything, I would ask this info be put into your employee/personnel record. Simply stating you proposed a security policy & password guideline for your company and it was rejected. And have your owner sign it. That way if anything should ever come up in the future you'll have a CYA file at very least.

 

[chvchk]

Michigan,

Thanks for the great ideas. The SANS institute has some great policies. In fact, this is where I started and built the policies I proposed around their templates. I adopted the computer use policy, password policy, and remote access policy. They didn't have a problem with the computer use or remote access policies, but wow...you would've thought I took their computers away from them with the reaction the password policy received.
I agree that a lot of it is misunderstanding of the policy.
I'll be meeting with the management team on Monday to ask them where their concerns lay and talk through this.

I think a training and awareness course would be an excellent idea. Do you have any good links of where I could start assembling something like this?

I like the idea of putting something in my personnel file if they deny it. I'm all for CYA

 

[AlexIT]

Maybe when you apply the next "service pack" it should "automatically" enable just password expiriation. Blame it on Microsoft but Win2k server SP3 did that for me once.

Once users get used to changing passwords every so often the complexity issue becomes much easier to deal with...

 

[eyec]

as a fall back position try to sell them on the idea of using RSA keys to logon in addition to their never-changing passwords.

 

[chvchk]

AlexIT,

That's funny you mention that. I seriously considered doing this...and I may if it's denied. My only worry would be that someone would research it and discover that it wasn't part of the patch.
Even if we had just password expiration in place, I would feel better.

 

[orypecos]

At last resort, you could look around for a new job. It is worrysome when management won't support you on such a basic security risk. What other things are going to come up that they will not support you, but are going to blame you later when things blow up?
Why fight it, go somewhere else where management admitts that 'just because that how we have always done it' is not a good enough reason.
You know when problems develop you are going to be the one that works through the weekend and 16 hours a day to fix it while they are sitting at home rotting their minds on sitcoms.

 

[michigan]

chvchk -

For the training protocol, I put together a very detailed yet easy to follow outline. More specifically, I used a ton a layman's terms and examples (not too mention a ton of screen prints). I touched on a little bit of everything - from hoaxes & social engineering tricks to SPAM and keyloggers.

I used the screen shots from the old L0phtHI to show how fast passwords can be cracked, what a keylogger looks like and why email auto-replies are the devil's best friend. I then moved into trojans/worms/RATs and viruses, phishing attempts (again with the screen shots) Nigerian letters/419s, etc. . . You name it, I covered it. However, rather then boring them with geek-lingo as to what MD5 hash algorithms look like, I tried to make it as lite as I could without losing the importance of the topic.

At the end of training people really were much more open minded to the entire security concept. Everyone walked away having learned a great deal. More importantly was the value-added to the security initiative. Not only had I provided a value to each staff member they could use @ the office, but many quickly seen the value knowing they could apply these same measures on their personal PCs at home. [[ I had buy in. ]] And the more people you have on board the better. In a sense, a win-win situation for all.

Good luck.