Slashdot Mirror
Passwords May Be Weakest Link
blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
If you know the methods of forced passwords you can write a program around them. All of a sudden not only do you have a ton of passwords that are unnacceptable, you can predict patterns of tricks people will use to fool the force password picker into letting them choose an easy to remember password.
...people will write them down.
Preferrably on post-it notes and stuck to the keyboard or the screen.
I have seen it all.
Sounds like they put a password cracking utility against the NT sam file. The thing is that if your security is done right, you should at least need the Administrator password to access that file, no?
Users are the weakest link. Always has been. The user chose the password.
-- Who is the bigger fool? The fool or the fool who follows him? --
In what way does changing a well-chosen password increase security on a non-compromised system?
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
This is so tech-elitist... "The users are the problem!"
- all-my-users-to-32-char-monthly-passwords bullshit attitude.
Give a look at any paper by Sasse, Brostoff and Adams, such as this one, and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force
The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
Now "dictionary word" -> "easy to remember" -> "insecure" but that doesn't imply "insecure" -> "easy to remember". Far from it in my opinion.
EnkiduEOT
There is no trap so deadly as the trap you set for yourself
-Raymond Chandler, The Long Goodbye
- A great deal of passwords are simply PASSWORD. Try it, you'll be amazed
- If you know the names of the target's immediate family (and possibly pets), you've just gained 1-5 more possible passwords.
- Many people simply make their passwords 'qqqq' or some chain of identical letters. This is because they don't want to have to bother with remembering a password.
- On a similar note, try QWERTY, ASDFGH, ZXCVBN, etc. Look for strings of letters on the keyboard that fit the minimum password length (typically either 4 or 6.
- If you have access to the target's desk, you've hit pay dirt. The password is likely written down somewhere. It would be nice if most software didn't say write down your password, etc.
Good password creation tips...Mother's maiden name is too obvious. But what about just any random name, or maybe a confirmation name (if you're Catholic)? For example, my confirmation name is Anthony. Here's what we do. We reverse the characters, and it becomes ynohtna. Let's remove the vowels. We get ynhtn. Screw around with case. Make it YnHtN. Then throw some easy to remember chain of numbers in there. For example, the last 4 digits of your phone number (0799 for me.) So it becomes Y0n7H9t9N - a password that would take weeks to bruteforce, and can be remembered fairly easily with a bit of practice.
Also consider biometrics. But the problem with biometric input devices is if your password is cracked, you can't really change it...
I've rigged up a
But hey, if you have your password set to PASSWORD, let me tell you, you're asking for it.
-Evan
You do realize, of course, that passwords are not the weakest link in computer security?
Users are.
No matter how good a password is, it can be compromised *instantly* if someone can use social engineering to either get it from the owner (e.g., "Hey, I need your password to check if this works...") or get the Sysadmin to change it back (e.g., "I am thusandso and I forgot my password, could you reset it for me please? I need to get some work done this evening but cannot log on..."
It's like with home security and a lock on a door. A weak lock can be forced or may even be left unlocked, but even a set of high-quality dead-bolts can fail if someone on the inside opens the door to let the intruder in or decides to leave a set of keys under the mat.
Humans are the weakest link, not passwords.
Integrate Keynote and LaTeX
Single sign-on is a joke. There is no standard for this. There is no single solution to authentication that spans across all platforms. Take, for instance, a vendor of a turn key product, say a web based materials management system. They would probably role their own authentication system because they need authentication but can't rely on their customers to have a particular system in place to interface to for authentication purposes. So in addition to the ten other papsswords I need to remember for all of the other systems with custom authentication, I will need to add one more to my list. Thee solution is the development of a authentication standard that can be applied to future systems and retrofitted in to legacy systems. Kerboros? Seemed good at the time, but why hasn't is caught on more? Tall order? You bet! But how else are you going to solve the problem of having to remember multiple passwords. Most people just go back to remember one or two and use them for all the systems they log in too. Not a good idea, but let's face the truth, almost everyone is doing this and this won't change until a real single sign-on solution is delivered.
-- Knuckle Blood : Official Lube of Team Rusty Nuts.
But this is definitely one of the few areas where NT/2K still scores over (most) Unices (as far as I know, please cluestick me if I'm wrong...) , namely it's trivially easy to enforce finely grained password policies. On NT, it's a case of find the dialog, check the options you want to apply , enter some numbers (length to time to remember old passwords and reject them, how often to force changes), minimum length, whether to force uppercase/ digits / alpha-numericals etc. I've been using Linux, BSD and Solaris for three years professionally, and tinkering at home for several years before that, and I frankly wouldn't know where to start to enforce password policies. (Well, OK, I'd use Google, the LDP, how-tos etc, but you see my point.)
That said, I just installed Mandrkae 8.3 out of curiousity to see what a Windows-friendly distro looks like, and I'm VERY impressed. Bob Young is wrong - IMHO - I think Linux
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Security (for your users, or at least me) is one aspect of an overall goal: getting our jobs done. If someone hacks into my system and trashes all of my files, that will time and energy away from other work. If I have to unlock the safe under my desk, pull out the notebook containing 16-character one-time passwords and punch one in every time I want to check my e-mail, that also will take time and energy from other work.
Remember always to balance the security you use with the value of the secured valuables. For a health-services company the value of the information is (perhaps) much higher than for your average "senior civil servant".
Also, don't put 15 deadbolts on the (virtual) front door while leaving the (virtual) window next to it wide open. I would guess that a lot of organizations have lost more proprietary information by viruses attaching documents to outgoing e-mails than by crackers breaking in.
The point was not accessibility of the password file, but rather it just happened to be a easy method of testing against passwords : The same thing could be done remotely by slamming against an authentication server with username/password combos.
:-]) you can slam a password file several million times a second, you can authenticate against a reasonably configured server maybe three times against an account before the account will be locked out for a prescribed period of time (often permanently until someone in the IT department can figure out if you're just a moron with CAPS LOCKS on and reeneable your account), so such brute force attacks are irrelevant. I wonder if the hooplah about easily guessed password might be more drama than anything else. Admin accounts don't get locked out (the obvious reason being a DOS by continually locking you out of your own machine) so they would still require a very strong password and active security monitoring.
Actually, truth be told they are over dramatising somewhat : Whilst (tribute to the other reply
Is your firm being paid any less due to customer dissatisfaction?
If the answer is no, then you are being abused by your management. They should throw out strong password complaints when evaluating customer satisfaction.
Surely the civil service organization has a policy about the use of strong passwords. I believe all Federal organizations have such a policy, if this is state or local, maybe not, I guess. Not insisting on implementation of policy would possibly be a cause of legal action against your company should there be problems.
I suspect this is a convenient way for your company to hold on to your bonuses.
Depending on who you are, and what context you're in, the answers could be totally different. And depending on that context, the strength of your password may matter a lot, or not at all.
If you're just some schmoe in marketing, with no access to change anything on your personal system, no access to anything on the company network except to alter files in a personal directory on one server, your company's network does not allow remote access, and your building requires a card to get inside and another one to get up the elevator, then the importance of you choosing a strong password is relatively small.
Making people choose strong passwords is a computer based version of a tradition risk-reward scenario. Users are going to hate keeping track of multiple passwords, with mixed case, numbers, special characters, and then throwing it all away and remembering a new one every 60 days. The reward of doing it has to outweigh that risk. Unfortunately I haven't gotten the feeling that either in this article or on many of the people here take into account the relative nature of computer security.
One of the key questions that need to be asked before a password policy is defined and implemented is what are we securing and how valuable is it? How devestating would it be if people got access to it, and how would one go about getting that access? In most of the cases that people have mentioned, the items being secured are potentially not that critical/confidential/valuable and therefore the importance of a strong password is significantly diminished.
Similarly, writing down passwords is more or less of a problem depending on where your threats are coming from, and what that password secures. I am not worried that the root password to my linux box at home is written down and taped to the box itself. Or even that it says "Root Password" right above it. It's securely formatted and difficult to guess, there's not a whole lot of important/critical info on the machine, and my main threat is coming from a random person on the network outside, not from someone specifically targeting me and breaking into my room to read the paper taped to my machine.
Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass. Before you force everyone on your network to do it, sit down for a second, think about how your systems and permissions are set up, and make sure that that pain is truly necessary. If it is, you will have a solid, business based reason why, and will be easily able to explain and convince others of your position. But implementing it because it's what someone told you is the "right" way to secure a system is lazy, and because people won't see the value, they'll shortcut it anyway.
Everyone knows the first part of this. If a password is easy to remember, it is easy to crack. If a password is changed frequently, it is almost impossible to remember. Why are we still using passwords? Passwords rarely catch on in any of the other places we try to use them (car locks, electronic padlocks, electronic house locks, etc.) The few places they have caught on are typically a joke. I recently went to the side door of my sister in law's high security apartment. There were four keys on the entry pad with the numbers worn off. I didn't even bother to call up to her until I had the sequence figured out. Thirty years in trying to lock down systems seems to have taught us nothing. Why aren't we damanding something better, such as USB keys, fingerprint scanners, etc? Whenever I discuss this, there are quite a few who say it is the users fault, that they must be trained to use passwords that are secure, and then everything would be fine. Sure, and if everyone loved each other, there would be no more war. But let's deal with people as they really are, not in some theoretical alternate universe. I'll say it again - thirty years of experience has taught us that passwords do not work. At some point we need to stop trying to start that car and get a new one.
As many others have pointed out, it's between a rock and a hard place. Allow weak passwords and you'll get them. Force strong ones and they'll be written down where anyone can find them (I used to work at a company whose Unix admin wrote down all the root passwords on the bottom of his keyboard wrist rest. Yes, he sucked.)
The forced password changes really piss me off though, especially when combined with long memories of "previous passwords". I use secure, uncrackable passwords for most things, and particularly for work. But when I'm forced to change them every 30 days you can bet I'll run out of things that I can easily remember, especially since I have passwords for work, for home, for email, for websites, my ATM card(s), the company's alarm system, and so forth. Eventually I end up relying on wonderful passwords like "abcdef1" which may as well be an invitation to use my UID.
It really is a catch-22 situation. I suppose SecureID and the like are the "best" solution, but they're nearly as unwieldy for the user as strong passwords. But at least they can't just be written down -- just lost or stolen.
A secure password on a post-it note on someone's monitor is much more secure then an easy password in someone's head if the premesis are secure, and you're worried about external attacks. Someone in another country, or even another building, likely won't be seeing the post-it or the slip of paper in your desk drawer. It depends on the circumstances.
Why have them enter their passwords into the computer? Why not just ask them their logins are, make a list, and then run the crack on what is already there, right in front of them on a projected screen, showing their passwords, or something similar, perhaps not showing an acutal password, but have john_doe pop up when his password cracked, then if the people dont believe it, they can ask you personaly.
"of course, we know that could be a problem, but the users are'nt going to know how to exploit it"
That attitude makes me sick to no end.
I wish I had a penny for every admin that assumed the users knew less than he did, I'd literally melt them all down into a club and bash their skull in.
One thing I learned a long time ago is that there is always someone out there who knows more. Sometimes, it's that quiet kid that doesn't seem to know anything.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
What you say is certainly true, but I want to put a big caveat on it:
It's very difficult to answer the question " what are we securing and how valuable is it?" for a number of reasons. To do that, you need to define what it is you're afraid of losing and how much of it you might lose from a particular attack. Both are very difficult questions, and are often gotten wrong.
Looking at the first, people often underestimate the risk from a security compromise because they're only thinking about the confidentiality (secrecy) of their data. At least as important to consider are integrity and availability, that is whether the system and data remain correct and usable. There are lots of things don't really need to be confidential, but do need to be right. Picture building design specs, for example. They're not secret at all - most of them will become matters of public record - so it doesn't really matter if they get stolen. God help you, though, if they get altered and you don't find out until halfway through construction.
Supposing you can somehow estimate the total VAR (Value At Risk) of your information systems, it's still nigh impossible to figure out what portion of that would be endangered by any particular attack. An apparently minor attack can easily be a stepping stone to a much more serious one. Parlaying limited access - whether aquired legitimately or otherwiss - into greater power is generally called privilege escalation, and it's a common component of attacks. The "root kit" is a classic examples of this. A root kit won't get you onto a system, but if you can get unprivilleged access some other way, the kit will then get you root. You can't assume that the security of a given account is unimportant just because that person hasn't been granted access to anything sensitive. There's always the possibility that a user has, or could get, access to things way beyond what was intended. Consider your marketing schmoe whose password security you claim is relatively unimportant. It's entirely possible (even likely) that the network which "does not allow remote access" does indeed have a gap somewhere. And if it does, someone could telnet in, log in as Mr. (or Ms.) Schmoe, and escalate to root on their one server. At this point, the attacker can probably compromise the username and password of any other user on that server, one of whom may have access to something that does realy matter. This is just a hypothetical story, but it illustrates a very important point about computer security: A series of weaknesses, any one of which would be unimportant as long as everything else worked as intended, can often be strung together into a succesfull attack.
As you said, security policies should be based on a rational economic evaluation of what's at risk and how much it would cost to mitigate that risk. The problem is that it can be difficult indeed to assess how much risk hinges on a given decision, so it's usually wise to be more conservative than you think you need to be.
Users are lazy.
If you have a small company with, say, fifty people, and you educate and assist all fifty of those people, a significant fraction will still say "there's no way my account would be cracked" and use set their password to "PASSWORD" or somesuch.
The fact is, you do need to force users to enter cryptic passwords, or there will always be lazy, irresponsible types who just don't do it.
The thing that is kind of silly about these is that they attack your encrypted password even though the system has access to your plaintext password whenever you enter it. On top of that, you have had the bad password on the system already and you get to deal with people who have disabled accounts because they were away when they got the warning, etc.
It's a lot more effective to just check the password when the user is actually setting it. You take the plaintext password and apply it against the plaintext that your password guessing algorithms would produce. If you are at least somewhat efficient about it the whole thing will take a second or so and you'll be able to apply much more extensive tests than you would bother to use if you were going to spend the system time encrypting each guess (Just don't apply the "up to 1000 8-bit-characters exhaustion" test. Sure, it's fast since you just automatically fail them, but it kind of defeats the purpose). The first time I did this I had to write my own and fiddle the passwd program to use it, but nowadays you can just stick in an off-the-shelf pam module to do it with little muss or fuss. If they fail, they have to come up with one that passes, so the system never has the bad one on it.
So start with a random cvccvc (c=consonant v=vowel) combination. Yes, I know it's not quite as good as a fully random alpha combination (by a factor of 275625), but it's a lot easier to remember. Then add a punctuation character (especially a shifted one like !@#$%^&*() ) and you will get something like "kez#tul". That's a pretty decent password right there.
If you have a truly fascist password policy to satisfy, change a letter to a l33t5p33k digit, and maybe make one letter uppercase. In this case, the result could be "k3z#t00L".
If you come up with three or four cvccvc pseudo-words, you can even use them for various security levels. One for r00t passwords, one for "normal" passwords, and one for web passwords (like slashdot, etc.).
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Every company/ISP/system should enforce password changes/passwd restrictions I'm all in favour of it. However, it IS possible to go the other way, and provide less security. My company is a multi-national and we have a huge network. Forced password changes were implemented around a year ago, because of a hacker wandering around. That's fine to do that, but then we have around 5-9 accounts, (depending on what you're doing), and that's INDIVIDUAL accounts. That's INDIVIDUAL passwords. It's made slightly easier, by not having passwd restrictions. I can tell you that the passwords that are going to be used by users will be something along the lines of 'abcdefgh', then 'bcdefghi'. The forced passwd changes is a monthly grief for everyone. Everyone HATES it. And so they should.
-- main(s){printf(s="main(s){printf(s=%c%s%c,34,s,34