Have I just guessed your password?

December 9, 2011 by Leave a Comment

SplashData recently released its list of the 25 worst passwords of 2011.  You can read the full list here, but the five worst were….

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123

If you use any of the passwords on the list change them immediately!

The curse of the sticky note

We’ve all seen it before, passwords stuck to the screen or around the desk area. Now please don’t think that I am not a fan of the sticky note, but only for remembering to do something rather than for storing passwords.

When working for a previous employer, I sat next to someone who used to be a manager, but had taken a step back to become a techie again.  One day we discovered, much to our surprise, that he’d stuck his password for the self-service HR system to his monitor and left for the day.  Thinking that this had been just an unfortunate mistake, we took it down from his monitor and slipped it into the locked drawers under his desk.  To say that he was angry the following morning would be an understatement!  To our amazement his view was that he didn’t care who could access his information because it was a useless system.  Needless to say the note went back on his monitor and that was it.  Eventually he saw the error of his ways and removed it from the screen, but it took a while.

Why your password shouldn’t be your pet’s name

The short answer is social networking. These types of sites encourage you to post and share all sorts of information with your friends, old acquaintances, family etc.  If you are the type of person who accepts a friend request from someone you met once at a party, then you risk giving away lots of useful information about yourself to help them build up a profile. With so much potential information readily available it then becomes much easier to try and guess your password, particularly if you use some of those so-called ‘weak passwords.  For example, passwords based on birthdays, nicknames, addresses (old or current), pets, children’s or family names or a favourite football team should all be considered as weak.

There are also several tools that help automate the process of building up potential passwords by entering some basic details about family members, pets, company and other relevant information.

Even if you don’t use social networking sites it doesn’t mean that this information isn’t easy to get hold of in other ways.

IT Administrators

Although we are of course a thoroughly nice bunch of individuals, we do require a high level of privileged access across IT infrastructure in order to properly manage systems.  For a malicious attacker, gaining the account details of an administrator is like stealing the crown jewels as this will provide them with access to virtually everything.

It is important that administrators have a day to day user account (in Active Directory or similar service) just like the regular users and also a dedicated administrator account in order to perform management tasks.  Not having administration privileges on their user account reduces the impact of phishing style attacks (even though as IT admin’s you’d expect us to be immune to these types of attacks, we are only human after all).

Each administrator should have their own administration account with privileges configured to only manage infrastructure that they are responsible for, though this is really only applicable in larger organisations.

Where equipment doesn’t readily support multiple user accounts a single username and password would have to be used, but it is important that this is changed on a regular basis or when for example a member of the IT team leaves.  Where you have a reasonable amount of equipment then it may be prudent to deploy an external authentication server rather than have local accounts, this would give each administrator a dedicated admin account which would be easier to manage.  Bear in mind though, a backup account would be required locally on the device in the event the authentication server failed.  You should be aware that the bare minimum action you should take on any system is to change the vendors default username and password, as this information in easily found on the Internet.

It is also important to use secure management protocols, such as SSH rather than telnet and HTTPS rather than HTTP.  Using plain text protocols such as telnet means the password is sent as clear text across your network. We will cover this issue in a later blog post.

Enforce a password policy

The first step any business should take is to implement a companywide password policy covering both users and administrators.  The policy should cover:

  • Why the password policy exists
  • How it applies to employees and equipment it covers
  • Guidelines as to what a good password consists of in terms of your organisation
  • How passwords should be used and shared
  • How passwords should be shared with relevant third parties
  • What a user should do if they think their password has been compromised
  • Any disciplinary actions users will be subject to if they violate the policy

Once the policy is in place then, where possible, technology can be used to enforce it; such as configuring the password complexity settings to include a minimum length and there-use and frequency of user password changes.

It is very important to incorporate IT administration into your password policies especially if you use third parties to manage some or all of your IT functions.  IT staff have elevated privileges in order to manage the infrastructure so having these passwords compromised in some way could have devastating consequences.

The password policy should also include measures to change shared administrator passwords where individual accounts are not feasible.

So what are the alternatives to passwords?

Strong authentication, more commonly referred to as two-factor authentication, describes an authentication process where     a  user has to know something and have something in order to gain access.  The “know something” is either a password, PIN or answering a pre-defined security question.  The “having something” is a token or smartcard.  Some systems can also incorporate biometrics.

Not quite an alternative to passwords, but single sign-on can reduce the number of username and passwords a user has to remember.  Single sign-on systems essentially allow a user to login to one system and then those initial credentials are used to gain access to other systems by linking and translating those credentials to other systems so that the user doesn’t have to enter any further credentials themselves.  Reducing the number of username and password combinations that users have to remember means they should be less inclined to write passwords down, share credentials and ultimately have to request password changes from the IT team.

From a security perspective this would of course mean that if a user account and password were to be compromised, then the malicious user would have access to multiple systems rather than having to gain multiple account details.  Commonly these systems are therefore combined with a secondary authentication method such as two-factor authentication.

Useful Resources

Want to check your password strength?  Microsoft provide a free online service -

https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx

Microsoft also provide some tips for creating strong passwords -

http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx

Filed under General Security, Secure Authentication Tagged with , , ,

Comments are closed.

Follow

Get every new post delivered to your Inbox.