Poor Passwords A Worse Problem Than Poor Antivirus

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

Sunflowers aren't so bad

[plover]

In TFA the author complains about "sunflowers", people who have passwords on post-its stuck around their monitor frame. The thing about post-its is that 89% of last year's credit-card breaches originated from sources outside the companies. And there is no malware possible that can read what's written on a post-it note.

Re:Sunflowers aren't so bad

[KeithIrwin]

I agree completely. I generally tell people that it's far, far, far better to have a strong password which you write down than a weak one which you can remember. Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

It's also not even vaguely clear to me why people feel that regular password changes are helpful or a good idea. As far as I can see, all they do is make it tougher for users to use strong passwords (due to being unable to memorize them), thus leading to weaker passwords and less security. An uncompromised password is an uncompromised password. They don't go stale.

Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

So the trade-off being made is that the system is now more likely to be compromised due to weaker passwords but in return, there's small chance that an attack will be stopped after the system has been compromised due to the password changing. That doesn't seem like a good trade-off to me. My best guess is that this advice is left over from a time when some systems had shared passwords. The regular password change was so that people who had been given the password to a system to do one thing wouldn't have access forever. Some places even used daily passwords so that they could give someone access for one day, but have their access reset the next day. But that advice has been carried over to individual user passwords in systems which use better access control technologies to manage access.

These sort of reports don't stop and analyze what constitutes good password management. They just say "Passwords should be changed regularly. It must be true because everyone is saying it. This company doesn't change their passwords regularly, so they have poor password management." As such, they aren't really a good assessment of the problem.

Re:Sunflowers aren't so bad

[grumbel]

Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

Or better yet, store it in your wallet. A place that is save enough for your money, credit cards and car keys should be save enough for a bunch of passwords. One could of course go one step further and get rid of passwords altogether and use a secure authentication device instead, with USB being commonplace everywhere that shouldn't be to hard to just use a USB device that does the authentication and encryption in a secure and easy to use manner.

The core problem isn't that users chose insecure passwords, thats just human nature, the core problem is simply that hardware and software developers haven't build systems that work well enough with this "flaw" of human nature.

Re:Sunflowers aren't so bad

[plover]

Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

Many of the really big credit card attacks (TJX, Network Solutions) took place over several months (or years), harvesting on-line transaction data. We have no way of knowing if the passwords were rotated during the course of the attack if that would have shut down the attackers. Network Solutions was PCI DSS rated, which means they had a password rotation policy in place, and their attack continued from March through June. We can probably assume the attackers seized the first opportunity to create a back door that they could use in the event the passwords were changed, so a rotating password would have had no effect on them.

Author parrots common fallacy

[whoever57]

The author parrots out the common fallacy that passwords have to changed frequently:

Even worse, good password management requires frequently changing passwords - every 30 to 60 days is the standard. Rotating passwords more frequently--every 15 days or so--is possible, but the panelist say it creates more of management and user headache that leads to more sunflowers by users who's memories can't keep up with changes.

Until people get over this misconception and communicate to their users: "give yourself a good password. I won't ask you to change it so you can pick a strong password that you will remember and that will be the end of memorising passwords" Then stress what makes a strong password.

Re:Biometrics

[KeithIrwin]

The problem with biometrics is that they aren't secrets and they aren't changeable. As such, they're fine for low-security in-person authentication. For example, I've heard of a restaurant which had their wait staff punch in by scanning their finger prints. That's fine. But if you use it to control access to the VPN, then that's problematic due to the non-changeability.

Here's why:
Let's assume that you are an employee who runs Windows at home. You keep up with the latest patches and don't do anything stupid. You probably even run Firefox. But still, someone manages to slip through an unpatched bug and infect your system. It can happen to just about anyone. They then install a back door and start logging what's going on in your system. They notice that you connect to a VPN so they start sniffing your USB traffic so that they can appear as you (recording either your password or your fingerprint). Now they can get into your company's VPN. It's compromised. Fortunately, your IT guy is on the ball. At 11am the next day, you get a call from your network admin asking you if you are signed into the VPN because he expects that you're in the office, but you also appear to be signed in remotely. You confirm that you are not signed in and the two of you realize that you've been hacked. He temporarily disables your access. You go home, clean up your home computer (assuming that you can) or bring it in to have them clean it up, and then it's time to give you access back.

Now here's where things diverge. If you've used a password, you just have to change your password to a new one, and it's secure again. Your fingerprint isn't changeable. Obviously, you can switch to a different finger, but that's a limited strategy since you've only got 10 of them (well, maybe slightly more or less if you were born with extra fingers or have lost some in accidents). I suppose once you're out of fingers, you could use toes, but I doubt most users would be willing to. This becomes especially problematic if any non-hashed versions of things are stored (as often must be done for fuzzy matching) because if the database gets compromised, every single person would need to change to a new finger. You also wouldn't want to use the same finger for your work password as you use for your bank. So, a total of 10 may seem like a lot, but over the course of a lifetime, you're almost certain to run out. Other biometrics are even more problematic since people have at most two irises, only one voice, only two sets of hand geometry, etc.

The non-secrecy can also be a pretty big issue, although that one usually only comes up with insider attacks since they generally have to know you in person. Let's say you use the fingerprints for controlling access to the company database. Now, Alice is a supervisor in payroll accounting and can change people's salaries in the database. Eve works sales and is clever and unscrupulous. Eve invites Alice over to dinner, and after she's left, lifts her fingerprints from her wine glass or the glass table top or almost any other smooth surface she's touched. Heck, she might even be able to get it from a door knob at work if she's careful. Once Eve has the fingerprint data she can then log-in over the network to the database.

The banking situation would be even tougher because you would expose your fingerprint when you use an ATM. All an attacker would have to do is wipe the buttons and/or fingerprint scanner clean before you use it and then lift your print from the machine when you're done.

Alice can keep her password in her head, or if it's too hard to keep in her head, she can write it down and keep it in a locked drawer in the office. This isn't absolute security, especially since keys can be duplicated from pictures of them, but would at least require that Eve physical break into the office. But still, her password at least starts out as a secret unknown to anyone else. Her fingerprints are not secrets. Using your fingerprint as your password is like writing you pas