Passwords May Be Weakest Link

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

Very good analysis.

[tshak]

Passwords May Be Weakest Link

And in other news, "The Earth May Not Be Flat".

Obvious

[aridhol]

Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.

Re:Obvious

[sc00p18]

This makes me so MAD! I mean, why can't people take their security seriously? It's not that hard to sit down one day and make up a few difficult passwords and memorize them. For example, I use one of

ekk4H$2drPr3Q,
Ltc4buX126w, and
7ydEX92aSz3UIo

for 90% of my passwords. Then all you have to do is not tell anyone about them. They're not hard to remember anymore, and it really wasn't that difficult to begin with. Sheesh, morons.

Re:Obvious

[MarkusQ]

I wonder how tough it would be to crack SSN number passwords. These are easy to remember, but GOTTA be tought to crack....

Not really. I once worked (as a contractor) with a primadona / hot shot who thought he was the side the bread was buttered on (or something like that). Anyway, he left in a huff of wounded genius one day (someone had the audacity to challenge his expense report, IIRC). I had noticed a few months back that 1) his password was all numeric and 2) he typed it in a 3-2-4 pattern. After he was gone & everyone was in a panic because we were locked out of a few important things, I took it upon myself to look up his SSN in the payroll system.

After everyone was sufficiently worried about the fate of the company and all, I asked mildly "Mind if I take a stab at it?"

It worked the first time, and I deadpaned it like it was no big deal, with some Jeeves-ish quip about "the psychology of the individual" and tapped my forehead. It was quite fun.

-- MarkusQ

Re:Obvious

[Dudio]

I'm sure it was unintentional, but you seem to have left out your Slashdot password. Plz fix. Thx.

Re:Obvious

[b1t+r0t]

There's an easy way to make a relatively strong password that is also relatively easy to remember. How many of you have ever tried to make a cheezy D&D character name generator by having it generate cvccvc combinations (like say, keztul)? They can come up with some pretty wierd... but still pronounceable... stuff.

So start with a random cvccvc (c=consonant v=vowel) combination. Yes, I know it's not quite as good as a fully random alpha combination (by a factor of 275625), but it's a lot easier to remember. Then add a punctuation character (especially a shifted one like !@#$%^&*() ) and you will get something like "kez#tul". That's a pretty decent password right there.

If you have a truly fascist password policy to satisfy, change a letter to a l33t5p33k digit, and maybe make one letter uppercase. In this case, the result could be "k3z#t00L".

If you come up with three or four cvccvc pseudo-words, you can even use them for various security levels. One for r00t passwords, one for "normal" passwords, and one for web passwords (like slashdot, etc.).

Microsoft password files...

[antirename]

Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.

Here's the problem with that:

[AMuse]

My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.

The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.

However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.

It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.

Re:Here's the problem with that:

[Waffle+Iron]

However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement.

I wonder if holding something like a "password cracker demo meeting" would help. Set up a test machine, let everyone enter a password of their choice, then run crack or similar on the password file. Let people watch as the program guesses their passwords and spits them out. Maybe give a prize to the best/worst passwords. It might get people to understand the problem and help them become more interested in solving it.

Re:Here's the problem with that:

[Darth_Burrito]

My university had a some sort of automated cracking script running weekly. If it cracked your password you were sent an email telling you your password had been cracked by their script. You were then instructed to change your password within 3 days (or something) or else your account would automagically be disabled.

This system seemed to work well because users could see an actual threat. Also, since everything was handled via script, there was no one tangible to blame other than the user with the bad password.

Yah! Stick it to the users!

[jehreg]

This is so tech-elitist... "The users are the problem!"

Give a look at any paper by Sasse, Brostoff and Adams, such as this one, and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force- all-my-users-to-32-char-monthly-passwords bullshit attitude.

The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.

Necessary Strength is Relative

[alouts]

Passwords are important. Fine. But why are they important? They protect sensitive information? They keep the infrastructure running? They will allow a web site to track who you are and pull up the appropriate marketing preferences? They will allow you to launch nuclear weapons?

Depending on who you are, and what context you're in, the answers could be totally different. And depending on that context, the strength of your password may matter a lot, or not at all.

If you're just some schmoe in marketing, with no access to change anything on your personal system, no access to anything on the company network except to alter files in a personal directory on one server, your company's network does not allow remote access, and your building requires a card to get inside and another one to get up the elevator, then the importance of you choosing a strong password is relatively small.

Making people choose strong passwords is a computer based version of a tradition risk-reward scenario. Users are going to hate keeping track of multiple passwords, with mixed case, numbers, special characters, and then throwing it all away and remembering a new one every 60 days. The reward of doing it has to outweigh that risk. Unfortunately I haven't gotten the feeling that either in this article or on many of the people here take into account the relative nature of computer security.

One of the key questions that need to be asked before a password policy is defined and implemented is what are we securing and how valuable is it? How devestating would it be if people got access to it, and how would one go about getting that access? In most of the cases that people have mentioned, the items being secured are potentially not that critical/confidential/valuable and therefore the importance of a strong password is significantly diminished.

Similarly, writing down passwords is more or less of a problem depending on where your threats are coming from, and what that password secures. I am not worried that the root password to my linux box at home is written down and taped to the box itself. Or even that it says "Root Password" right above it. It's securely formatted and difficult to guess, there's not a whole lot of important/critical info on the machine, and my main threat is coming from a random person on the network outside, not from someone specifically targeting me and breaking into my room to read the paper taped to my machine.

Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass. Before you force everyone on your network to do it, sit down for a second, think about how your systems and permissions are set up, and make sure that that pain is truly necessary. If it is, you will have a solid, business based reason why, and will be easily able to explain and convince others of your position. But implementing it because it's what someone told you is the "right" way to secure a system is lazy, and because people won't see the value, they'll shortcut it anyway.

As a Security Admin all I can say is.....

[oobeleck]

Duh!

People at work hate me for enforcing hard passwords. (And other assorted security measures)

Basically I am a BOFH so I don't care.

Unfortunately the common joe/jill user has no clue when it comes to computer security.

You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)

A good way to help *push* them towards secure passwords is to crack your own systems passwords.

You can use John the Ripper for Unix passwords OR l0pht crack for Windows systems.

Nothing disturbs an end user more then when you email them their old password,

(You have changed it to something hideous now...) and warn them that you can read their email.

If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.

If you use Unix try npasswd to enforce difficult passwords.

The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)

Once I had Management buy in it was smooth sailing. Just hold their hand for a while.

Re:The problem with strong passwords...

[SCHecklerX]

That's why, IMO, you force a strong password, but don't make the poor user change it every other friggin' day (ok, i'm exaggerating, but being forced to change a password for no good reason is a pet peeve of mine...system was hacked? fine, I'll change it)

Re:The problem with strong passwords...

[SomeoneGotMyNick]

I use a dissected CueCat for password entry. It allows me to use any bar code found on snack food, coupons, product ID's, etc. as a random sequence of alphanumeric characters of significant length. All I need to do is remember where I kept, stored, tucked, stuck, shoved the item with the code on it, scan it, and I'm logged onto the company network.

People may find a myriad of scannable codes on or near my desk at any given time. The trick is to know which one it is unless I carry it with me. Five attempts at a wrong password locks out the account. Due to the significant amount of digits, the IT department STILL has yet to crack my password using their cracking tools.

We're required (forced) to change our passwords at regular intervals. Since I've been scanning things, I have not found that an inconvenience.

one password for life

[tapiwa]

OK, one password for life might be a bit extreme, but if a user is on to a good thing, do not get them to change.

I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.

I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.

Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure .. .. ok I have oversimplified things a bit but you get the point right?

Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.

If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!

A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).

Once users have a robust password, allow them to use it indefinitely!

Re:one password for life

[edp]

"I have never understood why people think that passwords suffer from wear and tear."

Using a password does indeed weaken it. Every now and then, a user will accidentally type a password into a user name field, and that results in a log entry with the incorrect password in plaintext. Every now and then, some users will give their passwords to a coworker or relative to "borrow" their account. Some users will use the same password on multiple systems. When a cracker gets into a system, they are likely to record the password file and attack it, or to collect passwords via spoofing or whatnot.

So, the longer a password has been in use, the higher the probability it has been compromised. The password suffers from wear and tear. Changing passwords refreshes them. A cracker that formerly had access to the system would have to start from scratch (especially if all passwords are changed simultaneously). Also, that cuts the coworker off from access to other employees accounts. They might not have done anything with that access now, but, someday, maybe they'll be fired and would like to take some sort of revenge. Since you cut them off by a policy of regularly changing passwords, they can't do it that way.