Introducing Physical Security 395
One of the most basic controls that can protect physical interaction with a device,
system, or facility is the use of passwords. Passwords can protect a system from being
physically accessed or from being used to access a network.
Passwords and Physical Security
Passwords are perhaps one of the best primary lines of defense for an environment.
Although not commonly thought of as a protective measure for physical intrusions, they do
indeed fulfill this purpose. However, the downside is that unless passwords are carefully
and thoughtfully implemented they tend to be somewhat weak, offering protection against
only the casual intruder. Organizations have learned, as you saw in our system hacking
exploration, that passwords can be easily circumvented and must be managed in order to
avoid problems.
Working with Passwords
Experience has shown that users of systems tend to do the following:
■ 90 percent of respondents reported having passwords that were dictionary words or
proper names.■ 47 percent used their own name, the name of a spouse, or a pet’s name as their
password.■ Only 9 percent actually remembered to use cryptographically strong passwords.
Companies and organizations of all types have had to enforce strong password policies
and management guidelines in order to thwart some of the more common and dangerous
attacks. As we saw earlier in this book passwords should always be complex and well
managed; many of the components of a good password include:
■ No personal information in passwords.
■ Avoiding passwords that are less than eight characters. In fact the standard nowadays
is moving toward 12 characters and longer.■ Regular password change intervals—for example, every 90 days a password will be
changed.■ Enforce complex passwords that include upper- and lowercase letters as well as num-
bers and characters.■ Limit logon attempts to a specific number before an account is locked.