IT for Small Business

For most of the servers I manage, I enable the policy to require a new password, usually every 120 days, sometimes 90 depending on the company turnover.  There’s a couple of reasons for this, not the least of which is how easy it is to hack into an office with a chocolate bar.

The basic problem is that most people don’t really have any reservations about giving away their passwords.  They think they are protected by anonymity or that it doesn’t matter much.  In my circle of experience, passwords are almost always shared with other employees in the office.  This turns out to be a problem if a conflict arises and that employee leaves the company on bad terms.  My normal procedure is to lock that user’s account and make sure they can’t start deleting or intentionally changing data erroneously.  But in a lot of cases, I have to go through the process and change everybody’s password because so many people have shared theirs with that person while working together.

Although changing the password doesn’t eliminate the potential immediate threat of an employee gone bad or passwords given away in exchange for chocolate, it does reduce the risk.  After all, by the time a person tries a password they thought they knew, it may have already changed.

So I apologize for the inconvenience, but for any server with remote access enabled, it’s highly important to keep those passwords hard to guess and to yourself.  Keep these points in mind:

• Using the same password over and over and just changing a number incrementally at the end does not make your password hard to guess.
• Although someone you know (or someone offering you chocolate) may gain access to your password though a direct means, I think the bigger threat are random attacks coming from the Internet.  If you look at the firewall logs for any computer directly connected to the Internet, you’ll see hundreds if not thousands of attempts to get in from random sources per day.  Most of this traffic is merely looking for a computer to use to send junk mail out, so most attacks are towards the mail servers.  For those automated systems trying to guess a password, having a “complex” password usually isn’t enough anymore.  It’s how long a password is that slows down a brute-force attack (trying every possibility).  This is why all my servers have passwords that are complete sentences.  They are easy to remember and easy to type, though a bit long.  For example, “It’s a great day outside!” is a better password then “pa$$w0rd”.
• Pending the company owner’s permission, I am willing to exempt your account from that rule if you really do keep a tight reign on your password and do not give it away to anyone for any reason.
• You do not need a co-worker’s password to check their e-mail or use their computer while they are on vacation.  That coworker (or I) can grant you permission to open their inbox from your own account.  Likewise, with a server in place, you can log on to any computer in the office, not just the one originally assigned to you.  You will not have any additional access to information than you would from your own machine.  Owners, this means you can relax about your Quickbooks or other confidential data.  Even if an employee logs in to your computer with their own name and password, they will not be able to open any documents that have been properly secured.  Keeping files on your own computer instead of the server is not a security model, it’s a disaster waiting to happen, especially if you don’t backup that data manually.