password policy Small Business Password Policy?

[G33kman]

So I work for a small company 6 Office staff. I'm trying to get our system a little more secure. As of right now all the users have the same basic password for logging in to their computers (yeah I know) I would feel a lot better about the security of our systems if they all had complex passwords (in a perfect world) but trying to get everyone to remember a complex password isn't something that they're going to do. I can't even get them to remember their email passwords half the time. I know we're decently protected with virus and firewall protection for most things but I'm wondering how important it is to have a better password for logging in to the computers (not the same for everyone). Just looking for some input.

Thanks!

Ryan

[Oshino Shinobu]

I would say go for somewhat complex passwords and then stick with them. Many places are still in the practice of requiring frequent password changes, but it's actually better to just have a very secure password than a constantly changing simple one, as it's harder to brute force and guess and it doesn't require the users to remember a new password every month or so. Once the phase of learning the complex passwords is over, it should be pretty secure. 

 

You could also look into some biometric security to replace, or go alongside complex passwords. Logging in with fingerprints or similar makes it easier on the users and really, unless you have some particularly sensitive data that someone wants, it's unlikely someone will actually spoof someone's fingerprint. 

 

To be honest, I would be most concerned with network security more than passwords on each system. In general, it's best to avoid using WiFi where possible, and where it is needed, you should separate areas of the network that don't need to communicate with other areas to reduce the amount of potential entry points. If you just have WiFi for people to connect their phones to in order to have internet access or something and no actual business related stuff goes over the WiFi, then have it all on a separate VLAN from the business parts of the network to make it harder to gain access to business data. 

[G33kman]

Thanks for the input. I am currently in the process of setting up the network so the domain computers are separated from everything else (when I came in things we setup pretty weird) so that's one step I will be taking for sure.

[comicsansms]

Get them to change their password, get them to change their passwords to 3 objects that they see in the office (Chair, Stapler, Coffee), add their internal phone number or the last 2 digits of their mobile number (chairstaplercoffee90), and you are off to the races. That may not be a particularly strong password since it has 3 dictionary words in it, but it is good enough for your use case.

 

Honestly, I think the employees knowing eachothers passwords is not a bad thing (not a good thing though), especially since how small the company is, the threat would likely extend from attacks, so if reakless not-so high up employee has the same password as the accountant, and their password gets leaked, the attacker would also have access to the accountants account.

[G33kman]

That's kind of where I was heading with this. I'm not overly worried about someone walking in and jumping on to a computer but I think the passwords should be a little stronger than just one basic word...

Thanks!

[Dorrej]

21 minutes ago, Comic_Sans_MS said:

Get them to change their password, get them to change their passwords to 3 objects that they see in the office (Chair, Stapler, Coffee), add their internal phone number or the last 2 digits of their mobile number (chairstaplercoffee90), and you are off to the races. That may not be a particularly strong password since it has 3 dictionary words in it, but it is good enough for your use case.

 

Honestly, I think the employees knowing eachothers passwords is not a bad thing (not a good thing though), especially since how small the company is, the threat would likely extend from attacks, so if reakless not-so high up employee has the same password as the accountant, and their password gets leaked, the attacker would also have access to the accountants account.

That's a good start and it's really easy to get past the dictionary word problem. Replace the first letter of each word with the first letter of your first name and replace vowels with the character or number that it looks like. For example, Linus would turn "chairstaplercoffee90" into "Lh@!rLt@pl3rL0ff3390." Unfortunately, that is probably too complicated for some. 

[G33kman]

Yeah I'm thinking something as complex as that would lead me to resetting their password every other day. Lol I'd like a little more security without having them come to me every two seconds complaining that I had to implement this new rule and now they can't get any work done. 

[TetraSky]

Considering that logging password for Windows can be cracked/removed easily, it doesn't really matter...

[G33kman]

Yeah that's a very valid point. Thanks!

[CtrlAltELITE]

Yeah I'm firmly in the 'doesn't really matter' side. Give them a guideline of common passwords to not use (password, 1234, qwerty, etc etc) and let then pick there own.

[SCHISCHKA]

I worked for a company where passwords were predictable and we were not allowed to change them. We were able to guess each other's passwords very easily. It made the admin look stupid.

 

 I like to remember a sentence and then scramble it in my head. Something I can remember but is not in any dictionary and does not have pr3d1ct4bl3 substitutions. It can also be very long if I wanted it to.

For example take every third letter from a song chorus and every second letter from a verse, there are your random looking letters

[elis]

I think it may be possible to use a flash drive to store a (highly) complex password. If you can configure it that way, give each person there a flash drive (1-4 GB is more than enough, and quite cheap) and use a master drive for yourself. 

[G33kman]

Lol I feel like they would just leave that by their desk no matter how many times I asked them not too... I appreciate the idea though. I would love to implement something like that!

[elis]

1 minute ago, G33kman said:

Lol I feel like they would just leave that by their desk no matter how many times I asked them not too... I appreciate the idea though. I would love to implement something like that!

How about linking the computers to their smartphones ?

[G33kman]

No because not everyone has smartphones. My boss would break a smartphone in about 2 seconds on the job site. Lol

[elis]

Phone numbers then ? Old SMS

[G33kman]

Lol sounds too complex for the solution I'm after. I think I'll just be setting up separate passwords for everyone with a basic complexity.

[elis]

LOOOL. Anyway, good luck.

 

P.S: Some flash drives are very small they can be linked to one's keys

[G33kman]

That's a very valid point! I just know the sales guys and they're all about doing as little as possible. Whether that be in their job or using the computer unfortunately...