DoTS InfoSecurity



Password Usage Recommendations

October 23, 2003

Environmental Scan:

The lax and inconsistent use of passwords currently in DPS has created several potential security risks. Passwords are the only piece of information that identifies a user to a particular information system. If a password were to become compromised, then unauthorized access to DPS’ information systems may be possible using that password. As more information systems become incorporated into DPS passwords provide access to highly sensitive data. An example is Lawson’s Self-Evident Application (SEA) which allows DPS staff to update their own benefits information (and soon to view their payroll information online). The value of password confidentiality has grown much more personal and important.

Statement of Problem:

Several password policies and procedures at DPS go against information security “Best Business Practices” and may allow for unauthorized access to information systems.

I. It has become a common practice for DPS staff throughout the district to maintain lists of passwords for the users that they support and/or work with. The Board policy EGAEA Electronic Mail states, “may not leave their password available in an obvious place near the terminal or share their password with anyone except system administrators.” The primary reason for keeping password lists is to support newer computers which are now keeping a user’s personal settings in a unique profile that is different for each user. In order to set up certain applications such as e-mail, the user being assisted must be logged on. However, having access to another user’s password compromises non-repudiation which is the certainty that the user logged in is actually the person that the login belongs to. A shared password may potentially allow a malicious user to compromise the integrity of DPSNet and/or enterprise data systems while logged on as another user. Another area where passwords may be commonly shared in schools is when a teacher’s password is given to a substitute. While this may allow the substitute to perform certain duties faster using the faculty member’s login, it is a misuse of the login and may provide an avenue for unauthorized access in the future.

Human Resources is implementing a new information system called Self-Evident Application (SEA) that utilizes a user’s Windows password to authenticate them to the system. SEA allows a staff member to view and make changes to their benefits information and soon will allow users to view their payroll information as well. If users share their passwords with anyone other than DoTS technicians, that unauthorized user will have the ability to view the password owner’s personnel data within SEA.

II. Currently, several information systems at DPS do not expire passwords at all, even though they are capable of doing so. The end result is a large number of passwords whose age may be several years old and also may have been shared. The potential exists that a password may have been compromised allowing an unauthorized user access and since the password is never changed the access remains.

Recommendations:

I. A recommendation will be presented to the Board of Education to amend existing District policies to prohibit all forms of password sharing except with authorized DoTS technicians at the user’s discretion. The user will then have the option to change their password after service from DoTS is completed. Once the current policies have been updated, an education campaign will be created to inform technicians and users about the expectations surrounding password security. Additionally, part of the user education will include instructions on how to create good passwords that are easy to remember but difficult to guess or crack using many of the hacker tools freely available.

II. Many enterprise software applications contain password management options that are not being used such as password expirations. DPS will improve its password security significantly by enabling these password security features. First, DoTS technicians should only create passwords that are “pre-expired” meaning that the user must change their assigned password the first time they logon. Forcing the user to change the password will prevent the user from using a password that is known by the technician who created the account. Second, DPS should recommend to users that they change their passwords at a minimum of once every 90 days, especially for users who have access to highly sensitive information such as principals and secretaries. As DPS has operated for many years without password expiration, it will be necessary to begin enforcing password expiration in a phased approach. Otherwise, there is a high potential to lock-out several thousand users at once who have never changed their passwords. Finally, some information systems support strong password enforcement, meaning they require the user to pick a password that has at least one number or punctuation symbol as part of the password. Forcing letters and numbers in a password helps the user to pick a password not found in a dictionary helping preventing a hacker from easily guessing the users password.

Anticipated Outcomes:

As passwords are the only identifying piece of information in most every case at DPS for a user to log onto to an information system, their security is of utmost concern. DPS will benefit greatly by improving the security practices involving password usage at DPS. By reducing the risks of compromised passwords, the chances of unauthorized access and computer misuse are significantly reduced.

Visit for more information.

-----------------------

[pic]

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download