In a world where a sizable part of any company’s assets or management thereof resides in a computer system, it is more than sensible to expect those systems to be as highly protected as possible. In most cases all the protection hinges on a number of words, one for each person accessing the system. Obviously it’s to be expected that various strategies and policies were created during the computer age to keep these words as safe as possible – I am obviously talking about the Password.
Security has always been a tricky thing and password policy has been especially taxing for a long time. The biggest problem is that sometimes, policies intended to help strengthen the company’s security, end up hindering it; this has never been truer than with the history of passwords.
Frequency of Forced Password Change
A common password protection policy is to have the user change the password on a periodic rotation. It can be as short as 30 days; some employ a longer timeframe of 180 days and most settle in the middle with 90 days. The idea behind this policy is if someone were to compromise the password his access will be limited to that timeframe until the password is changed. Furthermore a brute force attack that is trying to be stealthy / not lock the account by only attempting a few passwords a day as opposed to as many as possible will have its run invalidated after the password changes since the new password might be a combination that it already tried.
The intention here is obviously good; however, it is dangerous due to its unintended consequences. If the user has no complexity rules he is quite likely to choose an easy password because it is difficult to come up with a new password every time. If he does have complexity rules preventing him from creating easy to remember passwords then he will write it down, and possibly attach it to the monitor for everyone to see. The best you can hope for at this point is that maybe the user will still have a small sense of security left in him in which case he might tape the password to the bottom of his keyboard but that’s it. When forced to come up with and remember a new complex password periodically you can bet that he will write it down somewhere. Furthermore in some cases people still try to stick to the same password and get around restrictions such as not being able to use the last 6 password with something like adding a sequential number after the same old password and simply adding 1 to it each time they’re forced to change the password.
Complex Password Policy
Another common policy is to enforce a password complexity policy. Such as, a password must: be at least 8 characters long, have multiple case letters and numbers. The idea here is to make the life of a brute force attack difficult by ensuring that many combinations need to be tried out.
The risk here is users who find it hard to remember what they created and end up writing it down or using a simple complex password that’s so common it’s like having no password at all, such as “P4ssword”.
IT generates password for users
One thing you can always count from users is that they will always come up with a password that is a lot easier then you intended. Force users to create a password that has both letters and digits and lower case and upper case and you can be sure more than one will come up with “P4ssword” or a variation of it. Another thing you can be sure is that such a password and all of its variation are in various, if not all, password cracking dictionaries.
To mitigate this problem some companies do not allow users to create their own passwords but the IT department generates one for them.
The password generated will surely be strong however it’s likely that it will be impossible to remember especially since the user will have nothing to relate it to. Being unable to remember it, this nearly forces the user to write it down making the strong password useless.
Every single system has its own password
The idea here is very straight forward. If one password is compromised the rest of the systems are still secure because they have a different password.
The idea is great; however, it’s already hard to have a user create one or two strong passwords that he needs to remember. The more passwords you force him to create and remember the more likely he will make them easy to remember. In the worst cases it will be small variations of the same easy to remember password.
What should one do?
How can one tackle this scenario? Should we ignore all the security recommendations? Are they useless? Obviously the answer is no. However it is important to find a good balance. Policy that will frustrate the user is more likely to be ignored than policy which doesn’t inconvenience him much. Ultimately it all boils down to personal choice and finding the right balance. It can also boil down to shifting some of the risk from the password itself to the infrastructure or procedures such as monitoring.
Below are some suggestions:
Personally I would not go with a small password change timeframe. I would set it to at least 180 days. I would then mitigate the extra risk this generates with better monitoring by tracking each successful connection which doesn’t originate from the usual/allowed IP addresses as well as successful logins outside of work time and take pro-active action when this happens.
Passwords need to be complex. I would not however just put in a complexity policy and leave it at that. I would also include a little education with it. It can be just a guideline document or maybe better still a small one to one talk with someone from IT that would explain what the policy is about and more importantly some tips and tricks to new employees as part of their orientation. Tips and tricks will be discussed further on in this article.
Password generated by IT for users
I would definitely avoid this. Having passwords generated by IT will result in complex passwords that are impossible for the user to remember. The desired strength benefit will be far outweighed by the added risk of having the password written down, possibly in plain sight.
I would also recommend that as much as possible there should be a few or even one unified authentication system. The biggest benefit would be that a single system is easier to implement and test, thus one can ensure that it is well implemented and robust. Secondly it’s by far better to have one password that is strong than multiple weak passwords. I would also stress again the importance of monitoring. Action should be taken immediately when a breach happens. This however is a personal choice. Having one authentication system with only one password means that anyone breaching the system will have access to everything. That being said, it is quite likely that someone who has breached one system will quickly breach more so it might be an acceptable risk.
One might have the strongest password in the world but if it is not well protected it will effectively become weaker than the easiest of passwords. Users must be taught how to take care of their passwords – never write them down; never use them on a wireless connection that isn’t properly secured in the care of the company or directly of the user; never use the password inside of an internet café and never store it in a file on your computer or mobile phone.
Tips and Tricks
The biggest enemy of a strong password is always the difficulty to remember it.. This however can be mitigated if the password is created the right way. There are various tricks in order to achieve this. The easiest would be to use a phrase, substitute a letter with a number and add a fixed amount to each number to break the leet speak pattern.
Step by Step Example:
- Select a phrase: DoNotAccessMyData
- Change o to 0: D0N0TAccessMyData
- Add 1 to the digits: D1N1TAccessMyData
Only one letter to digit conversion was performed so as to make it easier.
There are more advanced tricks as well such as selecting a phrase, using the first letter of each word as part of the password and using alternating case and changing letters to digits and adding a fixed amount to it. Example:
- Select a phrase of at least 8 words: My Computer Is Secure If I Use This Password And Do Not Write It Down
- This gets converted to: McIsIiUtPaDnWiD
- Changing I to 1 and s to 2: Mc1211UtPaDnW1D
- Adding 1 to remove the leet speak pattern: Mc2322UtPaDnW2D
This is a little harder to remember but impossible to guess and a lot of combinations to brute force.
Some things that you should not do if you want a strong password:
- Never use a password from an example such as the ones above
- Do not simply convert words to leet speak, try to avoid it as much as possible
- Do not use names as passwords
- Do not use normal words in any language as a password
- Do not use personal information such as telephone number, spouse name, children’s name or even pet’s name as a password as these are guessable (even if no one in the universe knows your cat is called Thomas, Thomas is a name that is surely to be found in a hacking dictionary)
- Do not write down the password
No matter how many precautions you take and even if every user of a system follows every recommendation to the letter you’re always risking that at some point in time a password will be compromised. There are a lot of ways in which this can happen: Interception, Social Engineering, Compromise, exploit of the Authentication mechanism, key logger and more. The best approach is to assume that one day the system will be compromised and act accordingly. Be sure to put monitors in place to detect any unauthorized access, be it a login outside working hours to a login from a new unusual IP address. It is a lot more desirable to get a false notification than giving a hacker who compromised your system time to gain a foothold on your system.
It is also important to consider that the password is only part of the equation. The infrastructure on which the password is used needs to be secure itself. If no one needs outside access to the internal network then make sure that it is blocked by a firewall. If only a few need access then explicitly allow access to only their machines. Monitoring events generated by a machine can indicate that a machine is under attack. If the same host is repeatedly trying to break in extra measures can be taken to stop him and also have the account disabled after a certain amount of failed logins.