As the centralized point of access to organizational information, your Intranet portal may also represent a potential security risk. This is especially true if your portal is accessible to employees via the Internet. If your Intranet authentication is tied to your Active Directory or LDAP, be sure to put policies in place that ensure that your employees change their passwords on a periodic basis. In addition, be sure to encourage (or require) employees to use “strong” passwords, that are comprised of a combination of alpha characters, numbers, symbols and mixed cases.
Unfortunately, according to Wired Magazine the most common password successfully used in a recent Hotmail attack was “123456″. Yes, that’s correct…virtually the same password used by Mel Brooks in Spaceballs to secure his luggage.
As an Intranet professional, it’s important that your employee communications focus on employee education around the topic of frequent password changes, password strength, and their ability to identify and avoid password phishing scams. The Journal of Accountancy provides a great analysis of different types of passwords and their ability to be compromised, as well as a five step process that can be followed to analyze your existing application password strength.
1. Start by developing a full understanding of how your computer system stores passwords.
2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely.
3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum.
4. If your assessment reveals that you need an entirely new password management system, look for “yes” answers to each of the following four questions when you evaluate products. (click here to view the additional 4 questions)
5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test.
Source: Journal of Accountancy, July 2009.
If you haven’t run a recent campaign reminding employees of their responsibility to keep corporate information secure, it might be a good time to put one together and teach your employees how to avoid weak passwords and phishing scams.