IT Policy Spotlight: Password Policies

[BESadmin]

IT Policy Spotlight: Password Policies
25th October 2006

Password protecting the access to enterprise systems, data and networks is an obvious security precaution. Most employees are used to having passwords for their computers, voicemail and other office technologies. So why aren’t secure passwords for mobile devices more common? Surprisingly, this is often a security black hole since many organizations lack formal IT policies to help protect handheld devices from unauthorized access.

Without a clear policy for verifying password integrity and password practices on mobile devices, your organization is putting itself at risk. Security breaches can threaten competitive position, result in litigation for failing to protect confidential client information, or lead to serious financial losses.

Fortunately, there are ways to reduce vulnerability and increase security. And it all starts with a plan for verifying password integrity and implementing policies that encourage sound password habits.

Weak Passwords Threaten the Security of Mobile Devices
One challenge for employees is passwords must be memorized and frequently changed. Before they know it, they have racked up a long list of passwords for both work and home. Many people then write them down and store them in a wallet or coat pocket, or worse, post them in plain view. That means accessing confidential client or corporate information can be very easy for an intruder who has a few minutes to rummage through an office.

The other issue is the way employees use memory cues to make passwords easier to remember. Using part of a phone number, family name, social security number or birth date may seem innocuous enough. But the truth is this information is available through online databases and anyone looking to gain access to a mobile device is well schooled in how to access these details. Even recycling old passwords to create new ones offers an intruder a helping hand into your protected corporate data.

Strong Passwords Are the Key
There is no such thing as a truly impenetrable password, but a strong password should require a lot of time and effort to crack. The best passwords are often longer.

Increasing the length of a password by just one character significantly increases the time and effort it takes to guess the exact combination of letters and numbers.
Other features of strong passwords include these elements:

• At least eight characters in length
• A combination of letters in mixed upper- and lower-case and numbers
• Known only to the user (i.e., not present in any database)
• Not found in an English or foreign language dictionary
• Never shared
• Never written down

Password Policies
The IT administrator is well versed in the importance of securing key enterprise systems and the ideal person to take up the gauntlet of improving handheld security. Often your first step is just letting employees know that passwords are needed on their mobile devices.

Many employees have never thought about it before. Once they know the potential risks to customers, the company and their jobs should data be compromised, most people are eager to do the right thing. Then, it’s up to the IT team to set password administration and control guidelines and define password creation procedures. Communicating these guidelines and monitoring performance is a surefire way to ensure end-to-end mobile security.

BlackBerry Enterprise Solution – Over 200 published IT policies
The BlackBerry® Enterprise Solution includes more than 200 published IT management policies and leads the way in helping administrators manage and control their wireless solution.

Think policy controls are limited to setting a ‘true’ or ‘false’ condition? Take a look at the entire IT policy section dedicated to passwords so administrators can effectively manage and enforce passwords at the device level. You can specify everything from the minimum password length to the number of minutes that elapse before a security timeout. Find out about ways to ensure that recent passwords aren’t recycled, password requirements can’t be disabled, how users can initiate a warning message if their handheld is in danger of being stolen, and much more.

The BlackBerry® Enterprise Solution password policies is a comprehensive list of useful tools and includes the following rules:

• Password Required
• Minimum Password Length
• Forbidden Passwords
• Password Pattern Checks
• Maximum Password Age
• Maximum Password History
• Maximum Password Attempts
• Periodic Challenge Time
• Password Timeout Maximum
• Security Timeout
• Suppress Password Echo
• Duress Notification Address

To find out more about each password policy rule, access the BlackBerry® Enterprise Server Policy Reference Guide, which includes all the IT Policies available with the BlackBerry Enterprise Solution.

Password policies are only one component of maintaining a secure mobile solution. Next month, we’ll review Application Control policies and the role they play in protecting your corporate data.