================================================
Practical IT: Passwords 101 for businesses
From Sophos
by Ross McKerchar on August 17, 2012
===============================================
The human
element is often referred to as the weakest link in a secure system. Time and
time again studies have demonstrated that we are not good at
choosing passwords, nor can we keep them secret.
It’s tempting
to give up on passwords entirely. Assuming your users' passwords are always
compromised is certainly a sensible starting point. Ensuring that high-value,
high-risk assets are protected by more than just a password is no longer just
strongly recommended, it’s essential.
Despite this,
regular initiatives to shore up password strength are unlikely to be wasted
time. Maybe your finance app is well protected but you allow users remote
access to a password-protected web-based email portal. If so, don’t
underestimate the value of an email account to an attacker. Even a low
privileged employee’s account is a great place to learn more about a company
and launch a plausible social engineering attack.
Similarly,
authenticated staff-only apps are rarely tested as well as the public ones.
Once an attacker has a foot in the door, privilege escalation is often trivial.
That low-value, password-protected web app could be used as the entry point for
a larger, more serious compromise.
The starting
point
It isn’t a
password policy, nor is it user education. As one of the most visible,
user-impacting aspects of information security, passwords are something
everyone has an opinion on. The starting point is to don your hard hat, get
your facts right and set aside a good chunk of time to handle the inevitable
debate. Don’t expect people to thank you either – you’re not going to be very
popular for a while.
Hopefully
you’ve already got a base password policy for your organisation so it’s
probably wise to review it. If you don't have a policy, prepare one.
This is where
the contention starts. Understand that commonly-argued points regarding length,
complexity, forced changes, etc. do generally have some merit. The tricky part
is balancing them.
The balancing
act
Sure, enforcing
very long passwords will cause people to write them down but allowing 3 letter
passwords will clearly make them easily guessable.
Likewise, users
hate forced changes but never expiring corporate passwords is a risky approach
unless you are very confident they will never be compromised. Be it a phishing
attack, a simple mistake (can you honestly say you’ve never typed your password
into the wrong window) or an attacker sniffing the network for weak hashes,
there are lots of ways for passwords to end up in the wrong hands. For more in
this area, Bruce Schneier’s advice is a good read.
Complexity
controls (requiring numbers, punctuation, mIxEd cAsE, etc) are another
perennial discussion point. They have problems, as famously highlighted on xkcd. Humans are also great at gaming them. I guarantee that
given any realistic complexity policy you’ll easily be able to create a weak
password which passes. But without complexity controls how do you protect
against a trivial dictionary attack? You’ll need to weigh up the risk versus
reward for your organisation.
Testing
passwords
Although
controversial, a solid way of cutting through the debate and assessing which
passwords are weak in the real-world is to test them with a controlled attack
on the hashes. But make sure you have appropriate authorisation to do this!
Performing the test safely and securely can be tricky so it might be a good
idea to include it as part of a pentest from a trusted firm. As an added
precaution, as soon as the list is generated take steps to keep the cracked
password list separate from the associated usernames.
The great thing
about this approach is that it will likely use the same common tools and
techniques that an actual attacker would employ. Theoretically debating
strategies for improving password entropy is one thing but the reality is an
attack will likely involve one of a few known tools. If one of those tools,
out-the-box, employs a strategy that trivially cracks a password hash then it’s
unequivocally and demonstrably weak.
It’s worth
noting that given enough time you’ll crack every password, limiting the time
spent on an attack ensures you’ll get most value from the result by focusing on
worst cases. Telling someone with a password of” that they need to change it
isn’t going to help anyone!
After
conducting this exercise, you’ll likely spot some clear recurring problems with
passwords which will really help you with a policy tailored towards your
organisation. Every organisation is different so it’s important to do this
yourself.
That said, an
almost guaranteed finding is that password length is the most important factor.
If you enforce one thing, it should be this.
Just as
important as the actual policy are the associated guidelines. Include links to
sensible strategies like Graham’s, below, and provide some examples of bad
passwords based on known user behaviour (obviously anonymously and only after
they’ve been changed).
============================================
In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County, NJ.
Great Reasons for Purchasing Netiquette IQ
===========================================
============================================
In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County, NJ.
Great Reasons for Purchasing Netiquette IQ
· Get more email opens. Improve 100% or more.
· Receive more responses, interviews, appointments, prospects and sales.
· Be better understood.
· Eliminate indecision.
· Avoid being spammed 100% or more.
· Have recipient finish reading your email content.
· Save time by reducing questions.
· Increase your level of clarity.
· Improve you time management with your email.
· Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.===========================================
