AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY

Wednesday, April 14, 2010

A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective

The article by Mark Pothier in the Sunday Boston Globe entitled “Please Do Not Change Your Password”  has caused some controversy among IT staff members, security managers, and technology users. The article provides a compelling argument that the costs associated with frequent password changes outweighs the costs of security breaches caused by weak or static passwords. Although a position on either side of this debate may be supportable, the reality is that there are a number of standards that organizations (your employer for example) must follow:

• Periodic (90 days typically) password changes
• Minimum length and complexity of passwords (8 alphanumeric with special characters)
• Password History (users can’t select the previous password as the new one and thereby permanently rotate two passwords)

The above three password policy items are required by standards set by the Payment Card Industry (PCI), Federal Government, and others. Customers and partners may require your employer to observe these as well as additional password policies. Your IT department is likely to augment these standards with recommendations from product configuration guides, general security best practices, and other security recommendations from a variety of sources. The results are that you will likely need to manage several or many different sets of authentication credentials with varying schedules for password changes. You might also find that different systems have different password requirements. For example some require special characters (other than letters and numbers) while some will only allow letters and numbers. As a user trying to get your job tasks completed with the least number of distractions, how do you manage this?

• Choose Passwords That Are Easy To Remember And Hard To Guess - You hear this all of the time, but how do you do it? The easiest way is to think of a phrase that means something to you. Then pull the first letter of each word to create a seemingly random series of letters. If the phrase includes a number, that is even better. As an example, consider the phrase “my first car was a 1969 Chevelle”. The password becomes mfcwa1969C. This is a 10 character password with both upper and lower case letters as well as numbers. If you need special characters, you could put an exclamation point at the end. Of course if your ’69 Chevelle was the most important thing in your life and all of your friends and coworkers know this, someone might be able to figure out your password, so you might choose something else, but you should get the point.
• Find A Method For Managing Multiple Login Credentials - You should not use the same password everywhere, but even a small number of easy to remember passwords can become overwhelming. Therefore, use the password as selected above as the “base”, and apply a prefix or suffix to identify the system on which it is used. For example, your network password might become Nmfcwa1969C, your customer account management system password might become Cmfcwa1969C, and your bank account password might become Bmfcwa1969C. Note that these examples are all for systems that require high security. For low security systems, such as basic website memberships (you should determine the importance and criticality) use a different method for selecting those passwords or a different base password. There are a number of ways that basic website membership and similar system passwords can be compromised and you don’t want to reveal information that would allow someone to construct a list which might include your network or online banking password.
• Find A Method For Managing Periodic Password Changes  - The above methods are great for managing multiple passwords that rarely or never change, but what about those that must be changed quarterly or monthly? You could modify your password selection phrase to “my second car was a…” or “my next car will be a…” or similar, and this technique may work well for you, but it is just as likely that it will become troublesome after a few password changes, especially if the changes for the different systems do not occur at the same time. An easy way around this problem is to add a prefix or suffix that is associated with the current quarter or month. So, your network password might become Nmfcwa1969C-2 (2nd quarter of this year) or Nmfcwa1969-04 (April). It is a valid objection to state that this is a way to circumvent the password change and password history constraints by effectively using the same password with an easy to guess prefix or suffix. That is a valid argument, but it causes a number of difficulties for the hacker trying to compromise your account. First, a brute-force attack that requires several months to derive the password will not be successful. Also, a manual study of several passwords (probably successive ones) will probably be required for the hacker to determine the pattern of prefixes and suffixes. Finally, this technique will substantially increase the size of the hacker’s list of possible passwords to attempt in more automated password cracking attempts. The point is to keep the password management easy for you, but make it difficult for unauthorized individuals.
• In Defense Of Post-It Notes - Writing passwords on paper is considered to be a major security faux pas because it makes the password visible to anyone. However, the practice is not disallowed by most government or industry security standards, although it is disallowed by typical “best practices” and when the practice is discovered it is listed as a finding in security audits. In actuality, written passwords, even those on post-it notes attached to a user’s monitor, are visible only to those with physical access to that user’s work area. That may be a much lower risk than the use of a trivial password which could be available to millions of Internet users. No one would seriously suggest that users keep passwords in plain view, but a written list of passwords, secured in a locked desk, cabinet, or in the user’s pocket may be a reasonable and secure way for a user to overcome the difficulties of managing multiple and changing passwords. A hardcopy that is guarded as well as say the user’s cash or bank cards, is certainly more secure than the use of trivial passwords, or another common practice where users list passwords in an electronic file on their workstation.
• Two Factor Authentication - There are other authentication methods that offer increased security and can be used throughout much of an organization’s environment, such as various two-factor authentication systems. Some of these methods in effect change the password every 30-60 seconds, thwarting many types of attacks. These systems must be installed and maintained by the organization’s IT department, therefore this subject is best explored in a separate article.

Hacking Primer – How To Compromise User Accounts

How do bad guys compromise your account anyway? There are a number of methods, and their success and value may be affected by the password policies described above:

• Guess the user’s password -  After determining the user’s username, a hacker might try trivial or common passwords, then move on to more sophisticated techniques to guess the password. The “dictionary” attack is very common where a list of possible passwords is developed then tested against the system itself, or against a “hash” file of encrypted versions of real passwords obtained using some other technique. For example, a hacker might create a list of passwords based on information obtained about a particular user – important dates, children’s names, hobbies, etc. Using complex passwords makes this method ineffective.
• Find a system with a trivial or default password - You would be surprised how often systems have a user/password combination that is either the vendor’s default, or trivial. Once access is gained to that system, other user credentials can be found or determined using various techniques, although complex passwords are difficult to determine.
• Ask users for their credentials - This can be done through “phishing” emails, telephone calls, or even direct contact (in person). Various “scams” are used to get users to reveal their credentials. Obviously, complex passwords won’t thwart this type of attack, but a password that is changed periodically at least denies long-term access to the account.
• Capture the password as it is transmitted on the network - This technique can be done by reading the data on a network device, a workstation or server, or by directing the user to a hacker-owned or controlled server which impersonates a trusted server. Complex passwords won’t prevent this type of attack, and the hacker may be successful in repeating it following a password change. However, the attack does require additional effort and sophistication on the part of the hacker.

The Bottom Line
You will have to observe password policies and this is likely to involve managing multiple sets of credentials and changing them periodically. You will not want to use the same password or password system on all accounts. Therefore think about the criticality of what you are trying to protect and consider whether there are other ways that the password might be compromised. For example, for some web site memberships, it is common practice for the system to email your actual password to you for various reasons. Don’t use the same password or password “base” as described above for these accounts. Find a way to make the management of your user credentials easy for you, while making it hard for others to compromise your accounts. Remember, you only need to make it hard enough that the hacker gives up on your account and moves on.
 

Randy is a senior security consultant, PCI QSA, BSEE, CISSP at Akibia

LABELS:

Randy Bohrer,

PCI,

Security,

Compliance

Post a Comment

• By Disk Recovery 05/14/2010

  it is common practice for the system to email your actual password to you for various reasons.

• By Michael Bohrer 05/28/2010

  One important factor to take into account is the importance of each password-protected account. A bank or PayPal account is generally more important than, say, a forum account. That can factor into the choice of password, the length and complexity of the password, the frequency with which it is changed, and the number of other protective measures put with it.

  You might set up two-factor authentication for a bank account and never, ever right down its password. But a forum account really doesn’t need two-factor authentication, writing it down isn’t that bad, etc. Besides, who would hack a forum account anyway when they can register for free?

  For people with large numbers of various password-protected accounts, changing them all periodically might be an annoyance or even a large timesuck. Once again, perhaps only the accounts for which security is absolutely vital should get such a treatment.

  On the subject of using secure and easy-to-remember passwords, there is NOTHING worse than having a weak password. Never use the default, never make the password the same as the username, and never use chronological numbers (12345…).

  Lastly, Randy is right about the Post-It notes. The only people who will see them are people who regularly enter your cubicle/office/etc and get a front view of your computer or desk. If the password is written alone on the Post-It, without mention of a username or the site where the password is used, that’s even better. And if you are truly paranoid, you can put the password within a message disguised as a note to yourself. For example, if your password is ‘salmon’ (which is a weak password), the Post-It could say ‘Get salmon at grocery store’ or something.

BLOG ARCHIVE

• 2010 (15)
  • August (2)
    • Informationweek Survey of Sun Customers - Demonstrably Worse Service
    • The Death of Information Security
  • July (1)
    • Moving to Larger Mailbox Sizes with Exchange 2010
  • June (3)
    • Top 10 Features in Exchange 2010 for Users
    • Low Risk Support Alternatives for Cisco End of Life Equipment
    • Health Providers Beware of the New HITECH Act
  • May (1)
    • Compliance and Security Go Hand in Hand – How to Achieve Both
  • April (2)
    • A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective
    • Reviewing Oracle's Changes - Has the Sun Set on Sun Systems?
  • March (2)
    • New Requirement - New Fire Drill?
    • Why HP is Worried about TPM's
  • February (1)
    • Has the Sun Set on Flexible Support Options?
  • January (3)
    • You Inherited Your Cisco Infrastructure, But Do You Know Why You are Still Buying It?
    • Your Workers are Surfing While Snacking on a Big Mac - Time to Revisit Managing Your End-Point.
    • Ensuring Security in the Virtualized Environment
• 2009 (34)
  • December (1)
    • Monitoring Via the Cloud
  • November (2)
    • Sun Makes More Changes Amid Uncertainty
    • Sky High Cloud Chatter
  • October (2)
    • Improving Vulnerability and Patch Management
    • A Couple Quick and Easy Green IT Steps
  • September (3)
    • Don’t Put off Until Tomorrow…
    • Boston's Missing Email Case Has Many People Asking Questions about Digital Forensics
    • IT Needs Turbo Compliance
  • August (3)
    • Take Full Advantage of System Monitoring
    • Implement, educate and enforce strict Social Media usage policies – in that order
    • Preparing for a Return to Growth? It’s Not Too Soon to Make Process Improvements
  • July (2)
    • Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
    • Wrest Control of Your Data Center Back From the OEM
  • June (3)
    • Getting Ready for Cloud Computing
    • A Letter to Ralph Szygenda, the CIO of General Motors
    • Lax Web Site Security: The Site Owner's Responsibility
  • May (3)
    • The Checklist Approach to IT Security is Failing You
    • Financial Strength of Your Vendors…Show Me the Money!
    • PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
  • April (4)
    • The Near-Term Impact of Oracle Buying Sun
    • On the Path to the Cloud... Walk Before You Run
    • CIOs Need to Manage Up, Broadcast Successes
    • Consolidate Support Vendors?
  • March (4)
    • A Potential Sun Acquisition - Impact on Service
    • April 14 is Decision Day for Those Running Microsoft Exchange 2003
    • HIPAA Revitalized in 2009 and Beyond
    • Ten Steps for the Mass Data Security Law
  • February (7)
    • Tightening Budgets and Their Impact on IT Security
    • Recent Breaches Remind us to Focus on Security
    • The Training You Need Vs. The Training You Receive
    • Emphasizing Virtualization Security
    • DNS Audits: A Practical Guide
    • Practical Green IT
    • "Practical Use" Fills the Gap Between Idea and Implementation

BLOGS WE LIKE

• CIO - Blogs and Discussion - Best Practices
• InformationWeek’s Global CIO Weblog