AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
AuditNet
Mailing Lists
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
AuditNet
Home Page
You and your password(s)…
Against the rest of the world!
by André Viljoen
Background
Nowadays, we are surrounded by computers and systems, which require us to provide a username and password in order to gain access to specific or required information. And this applies to each and every one of us: think of your Personal Identification Number (PIN) for your debit or credit card. This too, is a form of password protection.
For the purpose of this article, let us stick to the Local Area Network (LAN) or application software, e.g. Oracle or SAP, at work. In order to gain access to the LAN or specific software applications at work, you need to supply a username and password.
Objective
The objective of this article is to create a greater awareness, to provide information on the importance of selecting secure passwords as well as best practices relating to password management, e.g.. selecting, changing and managing your password.
The Employee, the Auditor (either internally or externally), as well as the Security Professional will be able to use the information contained within this article.
Statistics
Now, before we continue, let me provide you with some statistics, which I, as an Internal Auditor, find very scary, yet not surprising at all.
1. During April 2003, a Study was published on the SearchSecurity[1] Website, entitled “Employees willing to share passwords with strangers” by Edward Hurley, News Writer, containing the following information:
a) A survey by the organisers of the Infosecurity Europe Conference found that 90% of office workers would reveal their passwords to a questioner positioned at Waterloo Station in London. During the previous year, 65% of those surveyed gave up their passwords.
Now, to be fair, the Surveyors did lull the interview subjects into a false sense of security by connecting with them through the social engineering method, which is often the surest way of getting around security measures. The interview subjects became more comfortable as they were asked more questions. So, by the time the password question came, they obliged and revealed it, said Neil Stinchcombe, public relations director for Infosecurity Europe.
b) When it came to the actual revelation of their passwords, only 75% initially did. The interviewers were able to get the passwords out of 15% more by asking them to describe something about the password they used.
c) One interviewee replied, "I am the CEO; I will not give you my password. It could compromise my company's information." But the executive would admit that his password was his daughter's name. When asked for his darling's moniker, the CEO said "Tasmin."
d) The most popular passwords were people's names (16%), followed by football (or soccer) team names (11%) and birthdays (8%). The most common single password (12%) was -- drum roll, please -- "password"!
e) Giving up their passwords isn't the only mistake employees make, according to the Survey, which was conducted according to the highlight security issues. Respondents were asked other questions, including:
· Have you ever given your password to a colleague? Two-thirds said that they have given their password to a colleague.
· Do you have any of your colleagues' passwords? Three quarters said they knew their co-workers' passwords.
· Would you download company information if asked to by a friend? About 55% said they would, and 57% said they would tell their friends their password, if asked.
· When you leave your current job, would you bring confidential information with you that would help at your new position? About 85% of men said they would, whereas 75% of women said they would.
· What would you do with a file containing everyone's salary details? Three quarters of those surveyed said they wouldn't be able to resist taking a little peak, but 38% went even further, saying they would pass the information around.
· Have you ever sent around "unsavoury pictures" or "dirty jokes"? Here is where a real gender gap was revealed. More than twice as many men (91%) admitted to it, compared with only 40% of women.
2. During March 2003, a Computing Technology Industry Association (CompTIA)[2] survey (“Committing to Security: A CompTIA Analysis of IT Security and the Workforce”) revealed that human error was the most likely cause of IT security breaches and that IT training and skills certification was the key towards ensuring greater network security
The CompTIA-commissioned Study, conducted by NFO Prognostics, surveyed 638 respondents from the public and private sectors. Among other things, the Survey assessed security-breach frequency and common causes, security resources, responsibility and enforcement practices, investment in security and certification and steps taken in response to Government Regulatory and Legislative Mandates.
Other highlights from respondents show:
· 31 % had experienced from one-to-three “major security breaches” - i.e., that caused real harm, resulted in confidential information taken, or interrupted business - in the last six months
· 22 % said none of their IT employees have received security-related training; 69 % has fewer than 25 % of their IT staffs security-trained and only 11% said that all of their IT employees have received security training
· 96 % would recommend security training for their IT staff
· 73 % would recommend more comprehensive security certification for their IT staff
· 66 % believe that staff training/certification have improved their IT security, primarily through increased awareness, as well as through proactive risk identification
· 59 % said that Government Security Regulations are largely inappropriate, failing to adequately address the practical side of the problem
3. During July 2003, a website called The Register[3] published an article named “Cracking Windows passwords made easy” wherein cryptographic researchers outlined techniques to greatly reduce the time it takes to crack alphanumeric Windows passwords.
Brute force-attacks on such passwords have always been possible, but the techniques outlined in a paper from the Swiss Federal Institute of Technology in Lausanne (EPFL) show how such passwords could be broken up to eight or ten times more quickly than previously possible.
A paper on this work, “Making a Faster Cryptanalytic Time-Memory Trade-Off”, is to be presented by Philippe Oechslin and his colleagues at the Swiss Federal Institute of Technology in Lausanne during the Crypto'03 Conference in August 2003
An abstract[4] for the paper explains: “Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used.”
4. An article, dated 29 April 2003 and published on the HostingTech website[5], revealed that a Survey was completed by SearchSecurity.com, a leading security technology portal that provides an aggregation of the best information security content on the Internet, as part of a white-paper download programme. Of the nearly 300 opt-in subscribers who participated in the Survey, 60 % were in IT/IS Management and Administration with 14 % in Executive Management.
Key highlights of the survey revealed:
· 89 % of respondents changed their passwords at least once a year
· 75 % changed their passwords at least three times a year
· 29 % changed their passwords more than seven times a year
· The more frequently passwords change, the more time IT Departments spend managing username and password changes
· 64 % of respondents admitted to writing down passwords at least once
5. Computer users typically have two strategies to manage the multiple username and passwords required to access IT systems such as bank information, voicemail and Web sites: to adopt a common password and storage of multiple passwords.
The 2002 NTA Monitor Password Survey[6] found that 84% of computer users consider memorability as the most important attribute in selecting a password and that 81% of users select a common password where possible.
"Users are effectively leaving their keys in the front door of their
computer systems. A disciplined security approach must start with the user.
As an industry, we need to help users address this issue. The fundamental
problem is that users are forced to manage and maintain so many usernames
and passwords that they are inevitably using common phrases or resort to
writing passwords down," said Roy Hills, technical director, NTA Monitor.
The 2002 NTA Monitor Password Survey splits users into three (3) groups: “light user” (36.8% with less than five passwords), “medium users” (33.4% with 5 to 10 passwords) and “heavy users” (29.8% with more than 10 passwords). Key findings of the research included:
· 67% of users rarely or never change their passwords and a further 22% admits that they would only ever change their password if forced to by a Website or system/IT Department.
· The Survey found that “heavy users” have an average of 21 passwords to manage, with some having up to 70.
· 49% of "heavy users” write their password down or store them in a file of their PC. This number detracts from lighter users with an average of 31% of all users storing their passwords.
What Companies want vs. what Companies do
Generally, Companies want their information systems to be secure, information available, confidential information protected and their employees honest and ethical and they are required to adhere to laid down policies and procedures.
However, more often than not, you will find the following:
· Inadequate Security Policies in that they:
- Are outdated;
- Are incomplete;
- Have never been formalised, e.g.. formally approved and implemented; or
- Have not been distributed/communicated to all employees
· In the event that the security policies do exist, they:
- Inadequately defined password and password complexity rules;
- Password rules comprise, amongst others, the following:
- Password minimum length
- Password maximum length
- Password age/expiration
- Password history
- Password complexity comprise, amongst other, of the following:
- Numeric characters
- Alphanumeric characters
- Uppercase characters
- Lowercase characters
- Special characters
- Have not been properly implemented by the IT personnel; or
- Are not being enforced and as a result not being adhered to by the IT personnel and Company Employees
· No or very little awareness have been or is being conducted by the Company to ensure that the Information Technology risks are explained to the employees and the security requirements are understood
· Should the policies have been implemented, you will generally find exceptions to the rules, e.g. for this reason that rule can not be applied
· Lack of, or improper, user management could result in:
- Excessive number of user accounts existing on the system, e.g. usernames of employees who have resigned are not removed
- Unused user accounts not being identified or appropriately managed
- User accounts with excessive rights/privileges not being identified or corrected
· Lack of, or non-existence, of an intruder detection system within the Company
· Inadequate segregation of duties of the IT personnel
· Time and/or work pressures would not allow proper security management practices to be followed by the IT personnel
I hear you ask why should there be Information Security Policies? Well, they are necessary to ensure that important data, business plans and other confidential information are protected from theft or unauthorised disclosure.
The outside world
Firstly, let us define the outside world. This could literally be anybody – from the man down the street to your fiercest competitor to the schoolboy playing around on the web.
For the real hackers out there - they would like nothing more than to hack into your Company’s computer systems and obtain access to all your confidential information.
You, the individual and Company employee
Enough of the IT and other people – let us know talk about you, the individual and employee. You were appointed by the Company to perform a specific job and for that you require access to the Company’s network and software applications.
How many usernames and passwords do you need to remember? Let’s see – there is one for the network, one for the financial application, one for the HR application…and so on, and so on.
Employees can have anything up to ten or fifteen usernames and passwords to remember. To exacerbate this situation, you would probably find that these passwords require changing at different intervals, complying with different password and password complexity rules.
So many passwords, such a huge task to remember them all. So, what do you do? Simple! You write them down on a piece of paper and leave it on your desk so it is easy to find. Alternatively, you create a Word or Excel file with all your usernames and passwords and store it on your computer’s hard drive.
Let’s see – what else do you do?
· Your user account does not require a password for you to sign on
· You hardly ever/never change your passwords
· You use the same password over and over again
· Your Company’s System Administrator has selected your password for you
· Your passwords are shorter than 6 characters
· Your passwords can be found in any dictionary
· You share your passwords with your colleagues
· Your passwords are something closely related to you, e.g.. name, surname, any close family member’s name, etc.
· You reveal your password to strangers without giving it much thought
· You reveal the Company Security Policies to strangers
Surely, by now you should have realised that these are all very bad security practices.
One very important thing you have to remember is this: you were given a username/userID and password to access a system. A computer system does not know that it is you, the individual, signing on to the system. All it knows is that the specific userID is trying to gain access to the system and if allowed, it will grant the userID access. Normally logs of actions performed are kept on the system. These logs reflect which userID has done what and when. Now, if someone else has succeeded in getting hold of your password and done some weird and wonderful stuff on the computerised system, the log will reflect your userID and you will be held responsible.
Be this right or wrong, you were given the userID and you are responsible to safeguard it and the password.
Best practices
Herewith some best practices related to passwords and password management:
· Adequate Security Policies should exist, with these being:
- Being updated;
- Completed;
- Formalised, e.g.. formally approved and implemented; and
- Distributed/communicated to all employees
· The Security Policies should:
- Adequately define password and password complexity rules.
§ Your password should adhere to the following password and password complexity rules:
· Your password should have a minimum length of 8 characters
· The longer the password, the better. One consideration though – the longer the password, the more difficult it becomes to remember and then you fall back on things like writing it down
· You should change your password at least every 30 days
· You should not re-use any of at least 6 of your previous passwords used
· You should include at least one numeric character in your password
· You should include both uppercase and lowercase characters in your password
· You should include at least one special character in you password, e.g.. !@#$%^&*(){}[]
· Passwords should not contain any form of your name or userID
· Passwords should not be a word found in a dictionary (even foreign), spelling lists or other word lists.
· Passwords should not be shared or written down and kept in plain view
· Passwords will be audited on a regular basis for compliance
· New users must change password the first time they log on
- Be properly implemented by the IT personnel.
- Be enforced and adhered to by the IT personnel and Company Employees, with exceptions to the rules limited. Exceptions to the Security Policies are to be documented, motivated and approved by Management. These approvals should be retained for future reference and audit purposes. The approval for exceptions is to be obtained every year.
- All user accounts must require a password for the user to sign one
- The user can select and change the user account password.
- You do not share your password with anybody.
- You do not write a password on sticky notes, desk blotters, calendars or store it on-line where others can access it.
- The following things should not be used when choosing your password:
§ Your username or the reverse
§ Your name(s), surname, nick names or its reverse
§ The name of the company you work for or its reverse
§ The names of your family members or your pets
§ Any other information easily obtained about you. This includes license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Someone who knows the user very easily guesses such passwords.
§ Consecutive letters or numbers like "abcdefg" or "234567"
§ Adjacent keys on your keyboard like "qwerty"
· Appropriate awareness campaigns are to be conducted to ensure that the information technology risks are explained to the employees and the security requirements are understood.
· User management is to be done, addressing:
- Excessive number of user accounts existing on the system, e.g. usernames of employees who have resigned are not removed
- Identifying unused user accounts with these appropriately managed
- User accounts with excessive rights/privileges being identified or corrected (where applicable) or authorised
· Management should seriously consider the implementation of an intruder detection system within the Company
· Adequately segregate the duties of the IT personnel
· IT personnel are to be given adequate time to allow proper security management practices to be followed
There are various methods that you can use to create passwords, namely:
The vanity plate:
We've all seen license plates that are customised with initials, names or personal messages. They are sometimes referred to as ‘vanity plates’. By taking a combination of letters and numbers, a phrase can be spelled out without using complete words. You can use this method to create passwords, too.
Vanity Examples:
|
Phrase |
Creates this password |
|
Too late again |
2L8again |
|
Music is for me |
MusikS4me |
|
Day after today |
dayFter2day |
Compound words:
Compound words that we use every day are easy to remember. Spice them up with numbers and special characters. Also, misspell one or both of the words and you'll get a great password.
Compound Word Examples:
|
Compound word |
Creates this password |
|
Tunafish |
toona&Fish2 |
|
Rocketship |
rokiT7shiP |
|
Doghouse |
DAWG#howz8 |
The phrase method:
Using the first letter of each word in a phrase can also help construct a good password. The object is to pick a phrase that is at least eight (8) words long and then use the first letter of each word.
Phrase Examples:
|
Phrase |
Creates this password |
|
Jack and Jill went up the hill to fetch a pail of water |
J&Jwuth2fapow |
|
I spent too much at the fair last night |
Is2matfln |
|
Gee, what I would give for a really good password |
GwIwg4argp |
Keyboard patterns:
Patterns on the keyboard can sometimes provide a password that is easy to visually remember. Try to incorporate numbers and/or special characters. You should also avoid using a single straight line such as 'qwerty'. Try geometric patterns, series of lines or zigzags. It is always important that no-one ever sees you enter a password. It is a greater danger with pattern passwords because they are visually recognisable from a distance.
Keyboard Pattern Examples:
|
Pattern |
Creates this password |
|
An horizontal zigzag starting with the letter 'r' |
r5t6y&u8 |
|
A series of lines starting with 'a', 't', and '7' |
asdrty&789 |
|
A triangle starting with the letter 'x' |
xdr5thnbvc |
Intrusion Detection Tools
There are tools available that come standard with Operating Systems to ensure compliance with Password Parameter Policies. There are also Third Party Software Tools that can be installed in addition to the Operating System’s Security Modules. We utilise both these Tools that come with the Operating Systems combined with a Third Party Software Package. This reinforces the organisations’ philosophy of defence, in depth.
This configuration allows for the standard compliance settings to be automated. An example of this is the system not allowing a password to be created and used unless one of the characters is an Arabic number.
With this type of check in place, it is easy to be lulled into a false sense of security that security professionals’ task is complete in regard to strong passwords. This is a very common mistake and should be deemed extremely dangerous to enterprise. There is still a need to manually audit passwords with tools such as L0phtcrack for Windows NT systems and Crack for Unix systems.
The reason is very simple. These Tools are widely available on the Internet
for crackers and legitimate security professionals alike. The Tools are
relatively simple to use, inexpensive and the results are a good indication
of the health of the Password Policy that is implemented in the organiszation.
By taking this small extra step, you could save a lot of trouble and time by
simple prevention.
WORDS OF WARNING:. Make absolutely certain before beginning that the appropriate authorisation to run password-cracking tools against your own systems is attained! (Consider including this authorisation as part of the organisation’s policy.)
Conclusion
Now, I am not trying to send you into a frenzy about the passwords you select.
Hopefully, I have created some greater awareness in you perception with regards to the creation and maintenance of passwords. It is entirely up to you to determine how secure your passwords will be.
Passwords are a fundamental part of any organisation’s security measures. Implementation of strong passwords should be the goal of the security professional. Strong passwords are a direct indication of the organisation’s security programme and a direct reflection of the organisation’s commitment to security.
Implementation of strong passwords depends on commitment in mainly three key areas, namely:
· Employee education,
· Written policy with management support and
· The ability to audit passwords for compliance.
The lack of support in any one of these critical areas will make the implementation of strong passwords extremely difficult for the security profession, if not impossible.
Successful implementation of strong passwords should be viewed as a major milestone in security and the organization's overall commitment to security.
It is not easy to select secure passwords and on a daily basis hackers are finding easier and better ways to crack your passwords. What is important is that you create a method in which you determine your passwords. At first, it will perhaps not be easy to remember them, but over time and with some practice this will improve.
I would like to leave you with this last thought:
The chain (e.g.. your Company’s security) is only as strong as the weakest link – your password can be the weak link.
Feedback
Any and all feedback or comments on this article would be greatly appreciated and can be sent to andre.viljoen@vodacom.co.za
