In January, leading data security company Imperva released a report called Consumer Password Worst Practices, in which the company analyzed 32 million exposed passwords. As an IT administrator, you might not be surprised to learn that the most frequently used passwords are consecutive strings of numbers, letters and numbers (e.g., 123456, abc123), or common words and phrases (e.g., princess, iloveyou, qwerty). And—shockingly (not really)—the fourth most commonly used password is, in fact, the word “password.”
We all know what constitutes a secure password: It doesn’t contain any personal or identifying information (user’s name, birth date, city, child’s name, dog’s name), it isn’t easy to guess (à la “password”), and it contains unique characters (numbers, both uppercase and lowercase letters, special characters such as an underscore). But getting users to actually employ secure passwords is like pulling teeth. They have a hard time coming up with unique passwords, and they have an even harder time remembering them. If you do convince your users to create strong passwords (or require that they do so), they invariably jot the passwords down on sticky notes that they then attach to their computer monitors. So much for security.
Strong Passwords
Because insecure passwords have serious security implications in the enterprise, enforcing strong password policies is important. In its password report, Imperva provides some best practices for selecting strong passwords.
- Passwords should have at least eight characters.
- Use a mix of different character types (e.g., upper case, lower case, numbers, special characters). If the password contains only one letter, number, or special character, it shouldn’t be the first or last character in the password.
- The password shouldn’t be a name, a slang word, or any word that can be found in the dictionary. It also shouldn’t contain any part of the user’s name or email address.
Now What Was That Password Again?
Unfortunately, strong passwords are difficult to remember. One of the main drawbacks of enforcing strong password policies is that when a user forgets his or her password, the IT administrator must drop everything and immediately recover or reset that password. Time wasted because a user has forgotten his or her logon password and can’t access the system is lost productivity. However, the time a systems administrator spends every week or month resetting passwords is equally wasteful. A great solution is a password reset product.
Numerous software products exist for automatically resetting Windows passwords. These solutions substantially reduce IT administrator involvement. Users need only answer a series of questions (which in some cases the administrator must initially configure). Some products temporarily reset the password to a random, automatically generated password that the user must then manually reset, whereas other products let the user reset his or her password immediately.
All of the password reset products included in this buyer’s guide allow users to reset passwords from the Windows logon screen. Most of the products also provide a web interface for resetting passwords, and a few offer telephone access. Some of the products even generate an email to inform users of impending password expiration.
Take IT Out of the Picture
The most common call IT administrators receive is to reset users’ passwords. In fact, these calls constitute 25 percent of all Help desk requests. No wonder users complain that their IT administrators are slow in responding—if you’re running around resetting passwords for 2 hours a day, it’s hard to get any real work done. A better solution is to put the power back into users’ hands, and free up your IT resources for more important tasks. Consider the password reset products in the accompanying table, or another similar product. The time you save will be well worth the price.
[Editor's Note: Information in this buyer's guide comes from vendor representatives and resources and is meant to jump-start, not replace, your own research; also, some products might have been left out, either as an oversight or from lack of vendor response.]
