Slashdot Mirror
Passwords May Be Weakest Link
blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
Passwords May Be Weakest Link
And in other news, "The Earth May Not Be Flat".
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
...people will write them down.
Preferrably on post-it notes and stuck to the keyboard or the screen.
I have seen it all.
Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.
I can't say that I don't give a fuck. I've just run out of fuck to give.
Sounds like they put a password cracking utility against the NT sam file. The thing is that if your security is done right, you should at least need the Administrator password to access that file, no?
Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.
...every 39 days, and it remembers an ungodly number of old ones, so you can't recycle. I don't have enough kids to come up with that many passwords.
I am not your blowing wind, I am the lightning.
My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.
The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.
However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.
It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.
Users are the weakest link. Always has been. The user chose the password.
-- Who is the bigger fool? The fool or the fool who follows him? --
probably 60-75% were cracked within 8 hours.
People do not understand how computers work. If they do not understand how computers work they cannot understand how computer security works. If they do not understand how computer security works, they will likely never ever understand the gravity of a password no matter how much it's explained to them.
To users a password is an annoyance. And they are trained to not be secure with their identities. How many people just give out their SSN? Something that is a definative source of identity, and allows access to tons of things: bank accounts, medical info, home addy. People will just give this to pretty much any customer service Joe.
Why shouldn't they do the same with a password?
This is so tech-elitist... "The users are the problem!"
- all-my-users-to-32-char-monthly-passwords bullshit attitude.
Give a look at any paper by Sasse, Brostoff and Adams, such as this one, and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force
The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
It's probably their /. username...
Now "dictionary word" -> "easy to remember" -> "insecure" but that doesn't imply "insecure" -> "easy to remember". Far from it in my opinion.
EnkiduEOT
There is no trap so deadly as the trap you set for yourself
-Raymond Chandler, The Long Goodbye
- A great deal of passwords are simply PASSWORD. Try it, you'll be amazed
- If you know the names of the target's immediate family (and possibly pets), you've just gained 1-5 more possible passwords.
- Many people simply make their passwords 'qqqq' or some chain of identical letters. This is because they don't want to have to bother with remembering a password.
- On a similar note, try QWERTY, ASDFGH, ZXCVBN, etc. Look for strings of letters on the keyboard that fit the minimum password length (typically either 4 or 6.
- If you have access to the target's desk, you've hit pay dirt. The password is likely written down somewhere. It would be nice if most software didn't say write down your password, etc.
Good password creation tips...Mother's maiden name is too obvious. But what about just any random name, or maybe a confirmation name (if you're Catholic)? For example, my confirmation name is Anthony. Here's what we do. We reverse the characters, and it becomes ynohtna. Let's remove the vowels. We get ynhtn. Screw around with case. Make it YnHtN. Then throw some easy to remember chain of numbers in there. For example, the last 4 digits of your phone number (0799 for me.) So it becomes Y0n7H9t9N - a password that would take weeks to bruteforce, and can be remembered fairly easily with a bit of practice.
Also consider biometrics. But the problem with biometric input devices is if your password is cracked, you can't really change it...
I've rigged up a
But hey, if you have your password set to PASSWORD, let me tell you, you're asking for it.
-Evan
You need to have a password policy that encourages better passwords without requiring a specific password makeup.
If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.
Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.
The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.
Furthermore Opie is a neat project to avoid keyboard snooping.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
But this is definitely one of the few areas where NT/2K still scores over (most) Unices (as far as I know, please cluestick me if I'm wrong...) , namely it's trivially easy to enforce finely grained password policies. On NT, it's a case of find the dialog, check the options you want to apply , enter some numbers (length to time to remember old passwords and reject them, how often to force changes), minimum length, whether to force uppercase/ digits / alpha-numericals etc. I've been using Linux, BSD and Solaris for three years professionally, and tinkering at home for several years before that, and I frankly wouldn't know where to start to enforce password policies. (Well, OK, I'd use Google, the LDP, how-tos etc, but you see my point.)
That said, I just installed Mandrkae 8.3 out of curiousity to see what a Windows-friendly distro looks like, and I'm VERY impressed. Bob Young is wrong - IMHO - I think Linux
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
HEY! Who told you?!?
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
Depending on who you are, and what context you're in, the answers could be totally different. And depending on that context, the strength of your password may matter a lot, or not at all.
If you're just some schmoe in marketing, with no access to change anything on your personal system, no access to anything on the company network except to alter files in a personal directory on one server, your company's network does not allow remote access, and your building requires a card to get inside and another one to get up the elevator, then the importance of you choosing a strong password is relatively small.
Making people choose strong passwords is a computer based version of a tradition risk-reward scenario. Users are going to hate keeping track of multiple passwords, with mixed case, numbers, special characters, and then throwing it all away and remembering a new one every 60 days. The reward of doing it has to outweigh that risk. Unfortunately I haven't gotten the feeling that either in this article or on many of the people here take into account the relative nature of computer security.
One of the key questions that need to be asked before a password policy is defined and implemented is what are we securing and how valuable is it? How devestating would it be if people got access to it, and how would one go about getting that access? In most of the cases that people have mentioned, the items being secured are potentially not that critical/confidential/valuable and therefore the importance of a strong password is significantly diminished.
Similarly, writing down passwords is more or less of a problem depending on where your threats are coming from, and what that password secures. I am not worried that the root password to my linux box at home is written down and taped to the box itself. Or even that it says "Root Password" right above it. It's securely formatted and difficult to guess, there's not a whole lot of important/critical info on the machine, and my main threat is coming from a random person on the network outside, not from someone specifically targeting me and breaking into my room to read the paper taped to my machine.
Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass. Before you force everyone on your network to do it, sit down for a second, think about how your systems and permissions are set up, and make sure that that pain is truly necessary. If it is, you will have a solid, business based reason why, and will be easily able to explain and convince others of your position. But implementing it because it's what someone told you is the "right" way to secure a system is lazy, and because people won't see the value, they'll shortcut it anyway.
People at work hate me for enforcing hard passwords. (And other assorted security measures)
Basically I am a BOFH so I don't care.
Unfortunately the common joe/jill user has no clue when it comes to computer security.
You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)
A good way to help *push* them towards secure passwords is to crack your own systems passwords.
You can use John the Ripper for Unix passwords OR l0pht crack for Windows systems.
Nothing disturbs an end user more then when you email them their old password,
(You have changed it to something hideous now...) and warn them that you can read their email.
If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.
If you use Unix try npasswd to enforce difficult passwords.
The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)
Once I had Management buy in it was smooth sailing. Just hold their hand for a while.
Everyone knows the first part of this. If a password is easy to remember, it is easy to crack. If a password is changed frequently, it is almost impossible to remember. Why are we still using passwords? Passwords rarely catch on in any of the other places we try to use them (car locks, electronic padlocks, electronic house locks, etc.) The few places they have caught on are typically a joke. I recently went to the side door of my sister in law's high security apartment. There were four keys on the entry pad with the numbers worn off. I didn't even bother to call up to her until I had the sequence figured out. Thirty years in trying to lock down systems seems to have taught us nothing. Why aren't we damanding something better, such as USB keys, fingerprint scanners, etc? Whenever I discuss this, there are quite a few who say it is the users fault, that they must be trained to use passwords that are secure, and then everything would be fine. Sure, and if everyone loved each other, there would be no more war. But let's deal with people as they really are, not in some theoretical alternate universe. I'll say it again - thirty years of experience has taught us that passwords do not work. At some point we need to stop trying to start that car and get a new one.
As many others have pointed out, it's between a rock and a hard place. Allow weak passwords and you'll get them. Force strong ones and they'll be written down where anyone can find them (I used to work at a company whose Unix admin wrote down all the root passwords on the bottom of his keyboard wrist rest. Yes, he sucked.)
The forced password changes really piss me off though, especially when combined with long memories of "previous passwords". I use secure, uncrackable passwords for most things, and particularly for work. But when I'm forced to change them every 30 days you can bet I'll run out of things that I can easily remember, especially since I have passwords for work, for home, for email, for websites, my ATM card(s), the company's alarm system, and so forth. Eventually I end up relying on wonderful passwords like "abcdef1" which may as well be an invitation to use my UID.
It really is a catch-22 situation. I suppose SecureID and the like are the "best" solution, but they're nearly as unwieldy for the user as strong passwords. But at least they can't just be written down -- just lost or stolen.
The problem users are bonehead sysadmins who use their authority to bypass the password policy or just don't set secure passwords.
I'd be eating dinner and drinking expensive wine at a nice restaurant if I had a dollar for every time I've found an Oracle SYS password set to "change_on_install" or "oracle".
The only solution to the password problem is to eliminate passwords. At my organization, we are moving to a smartcard-based system that removes the password problem completely.
Conformity is the jailer of freedom and enemy of growth. -JFK
OK, one password for life might be a bit extreme, but if a user is on to a good thing, do not get them to change.
.. .. ok I have oversimplified things a bit but you get the point right?
I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.
I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.
Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure
Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.
If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!
A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).
Once users have a robust password, allow them to use it indefinitely!
Live today. Tomorrow will cost a lot more!
What you say is certainly true, but I want to put a big caveat on it:
It's very difficult to answer the question " what are we securing and how valuable is it?" for a number of reasons. To do that, you need to define what it is you're afraid of losing and how much of it you might lose from a particular attack. Both are very difficult questions, and are often gotten wrong.
Looking at the first, people often underestimate the risk from a security compromise because they're only thinking about the confidentiality (secrecy) of their data. At least as important to consider are integrity and availability, that is whether the system and data remain correct and usable. There are lots of things don't really need to be confidential, but do need to be right. Picture building design specs, for example. They're not secret at all - most of them will become matters of public record - so it doesn't really matter if they get stolen. God help you, though, if they get altered and you don't find out until halfway through construction.
Supposing you can somehow estimate the total VAR (Value At Risk) of your information systems, it's still nigh impossible to figure out what portion of that would be endangered by any particular attack. An apparently minor attack can easily be a stepping stone to a much more serious one. Parlaying limited access - whether aquired legitimately or otherwiss - into greater power is generally called privilege escalation, and it's a common component of attacks. The "root kit" is a classic examples of this. A root kit won't get you onto a system, but if you can get unprivilleged access some other way, the kit will then get you root. You can't assume that the security of a given account is unimportant just because that person hasn't been granted access to anything sensitive. There's always the possibility that a user has, or could get, access to things way beyond what was intended. Consider your marketing schmoe whose password security you claim is relatively unimportant. It's entirely possible (even likely) that the network which "does not allow remote access" does indeed have a gap somewhere. And if it does, someone could telnet in, log in as Mr. (or Ms.) Schmoe, and escalate to root on their one server. At this point, the attacker can probably compromise the username and password of any other user on that server, one of whom may have access to something that does realy matter. This is just a hypothetical story, but it illustrates a very important point about computer security: A series of weaknesses, any one of which would be unimportant as long as everything else worked as intended, can often be strung together into a succesfull attack.
As you said, security policies should be based on a rational economic evaluation of what's at risk and how much it would cost to mitigate that risk. The problem is that it can be difficult indeed to assess how much risk hinges on a given decision, so it's usually wise to be more conservative than you think you need to be.
Users are lazy.
If you have a small company with, say, fifty people, and you educate and assist all fifty of those people, a significant fraction will still say "there's no way my account would be cracked" and use set their password to "PASSWORD" or somesuch.
The fact is, you do need to force users to enter cryptic passwords, or there will always be lazy, irresponsible types who just don't do it.
We used to store our root passwords on printouts that the sysadmins kept in their top drawer - obviously not secure.
The solution I came up with was to build a dedicated Linux password server. Each user has a login and is a member of certain UNIX groups. Their "shell" is a custom C program that when the user logs in, prompts for a machine and username combination. This input is only displayed as asterisks (so people looking over the shoulder won't know what machine the user is looking up). The program then tries to read a text file for that machine and user. If the permissions are such that the logged in user is a member of the right group, then the contents are displayed for 5 seconds and then the screen is blanked.
This allows us to restrict who has access to what machines. The password server is pretty secure with no unnecessary daemon processes running, root cannot login through telnet (you need to login using a second account to get a prompt to su), there is a bios password and lilo password and the box is physically secure in the server room.
In the case of fatality, a paper backup is stored in a secured envelope and kept locked away with human resources who have permission to give it to a select few only (managing director, director of operations and IT managers).
It's working well for us and has been live for about three months now.