PRIVACY
Password Palooza
Passwords are more secure than you think. And you can make them even better using intelligent password management.
By Simson Garfinkel
Many CSOs would like to eliminate passwords from their organizations and use some other technology to authenticate
users. That's because it's easy for users to inadvertently compromise
password security or intentionally share passwords with coworkers,
friends, even the enemy. (Think sticky notes on monitors.) But
passwords are not going away anytime soon. They are too widespread, too
easy to implement and just too darn useful. And they really are a good authentication technology.
Because CSOs will be stuck with passwords for the foreseeable
future, organizations need to give their employees tools, policies and
training to intelligently manage the passwords they have, while
simultaneously minimizing the damage that can occur if those passwords
are compromised.
One of the reasons passwords are ubiquitous in today's
information-oriented society is that they are so easy for programmers
to implement. Any computer system that has an input device and a little
bit of memory can be rigged for password-controlled access. As a
result, we have passwords not just for desktop computers and e-mail but
for voice-mail systems, television v-chips, and car computers and
emission systems as well. Passwords are everywhere.
Even if you restrict the discussion to the world of desktop
computers, you'll still find that passwords are everywhere! Today's
information workers must use dozens of passwords on a regular basis: to
log in, to download e-mail, to access benefits systems and so on.
The purpose of passwords is to prevent information or resources from
being accessed by an unauthorized individual. In practice, this means
that passwords need to be both difficult to guess in the first place
and then changed regularly. Good password management should prevent an
ex-employee from using your corporate account to set up his own
conference calls or to read your e-mail.
Password Synchronization
To start the password management process, minimize the number of
passwords employees need to know. Here the most common approach is
what's known as password synchronization. With this method, a central
server guarantees that users can access all of a company's servers and
services with the identical user name and password.
The easiest way to implement password synchronization is to deploy a
centralized directory that stores user names and passwords. The most
common technologies here are LDAP (lightweight directory access
protocol) and Radius (remote authentication dial-in user service).
Password Vaults
The problem with all password vault systems is that
the vault itself can become a target: A determined attacker with
appropriate access can simply steal your vault.
Next, give your users a way to securely record their passwords—both
your organization's and those issued by all those websites out there on
the Internet. Although some people still use sticky notes taped to
monitors, I prefer programs that implement what's known as a password
vault. These programs store user names and passwords in a file that's
encrypted with a so-called master password. Thus, instead of having to
memorize dozens of individual passwords, employees need to remember
only one.
My favorite password vault is an open- source program called GNU
Keyring that runs on PalmOS (download it from
gnukeyring.sourceforge.net). Keyring is easy to install and use. As an
added bonus, it synchronizes with a user's desktop, protecting his
information against accidental loss and allowing him to view the file
there as well. A similar program called Password Safe, which runs on
Windows, is available for free from www.schneier.com/passsafe.html.
Password vaults are also built into the MacOS X operating system and
into both the Firefox and Internet Explorer Web browsers. Apple's
password vault is called Keychain. If you subscribe to Apple's dot-Mac
service, you can automatically synchronize keychains among multiple
computers. Firefox has a vault that it uses to store website user names
and passwords: To make this system secure, you should give your browser
a master password. Internet Explorer's vault is based on the Windows
log-in password.
Password Cracking
The problem with all password vault systems is that the vault itself
can become a target: A determined attacker with appropriate access can
simply steal your vault—by stealing your PDA, for example—crack the
master password and recover all its secrets.
Password cracking requires three elements for success. First, the
attacker needs to have a copy of the encrypted password vault. In
practice, this means that the attacker needs to steal the PDA (in the
case of GNU Keyring) or a copy of the file containing the password
vault from the user's desktop computer. Second, the attacker needs
special software that can rapidly test millions upon millions of
potential passwords. Finally, the attacker's software needs to be able
to immediately identify when it has guessed the right password. This
kind of attack is called an offline attack because it can be done
without being connected to a network.
Password cracking is easiest when users pick short passwords. This
is where password policies and user education can make a huge
difference. If users pick master passwords that are only four letters
long and if each of those letters is known to be lowercase, then there
are only 456,976 different possible passwords to try (to arrive at that
figure, multiply 26 by itself four times). A typical desktop computer
can try between 100,000 and 1 million passwords per second. As a
result, such a password can be cracked almost instantly.
On the other hand, if passwords are eight characters long and are
drawn from an alphabet that includes both lowercase letters and
numbers, there are roughly 3 trillion password possibilities in play
(that is, 36 multiplied by itself eight times); trying all of these
using a single computer will take an attacker between 32 days and one
year, depending on the computer's speed. This scenario gives
organizations enough time to change the critical passwords in the
stolen password vault. Alas, an attacker who has access to several
hundred computers will be able to crack an eight-character password in
just a few days. Users facing such highly motivated adversaries should
choose master passwords that are at least 16 characters long. An easy
way to do this is to make the password a "passphrase" consisting of
several words, numbers, spaces and punctuation.
Security by Proxy
Another way to protect a password vault is to take it off the
desktop or PDA and put it on a special network appliance. Users connect
to this network appliance using a password, token
or biometric. The appliance then opens a second connection to the
service that the user wants. When the remote service requires authentication,
the appliance sends the user name, password and any other credentials.
Such a device is essentially a special-purpose security proxy that
understands and automates the procedure of logging in to remote systems.
There are many advantages to a security proxy. For starters, a
well-designed proxy is not susceptible to offline attacks because the
attacker never gets ahold of the encrypted passwords. Instead, the
attacker is forced to perform an online attack—that is, submit each
password-cracking attack to the proxy with the hope of finding the
correct one. Any proxy that's well written will detect this attack and,
after a few dozen attempts, refuse to accept passwords from the
attacker. One example of a security proxy appliance is Network Vault by
Cyber-Ark. RSA Security's Enterprise Single Sign-On is another.
The biggest advantage of security proxies is that they can exert a
great deal of control over the users who proxy through them. For
example, a security proxy can be programmed to log every command that's
typed—in order to deny certain commands from certain users—and to
automatically lock people out when they are fired. This capability is
especially useful for organizations that are looking for a systematic
approach to managing network equipment and other kinds of
telecommunications gear.
To be sure, some organizations have adopted alternatives to
passwords such as PKI (public-key infrastructure), hardware tokens or biometrics,
with the goal of integrating all systems within the enterprise to use a
single authentication infrastructure for desktop, network, e-mail and
intranet applications.
I'll talk about these password alternatives next month.
Simson Garfinkel, PhD, CISSP, is spending
the year at Harvard University researching computer forensics and human
thought. He can be reached via e-mail at machineshop@cxo.com.
Most Recent Responses:
I would explore the possibility of deploying a centralized password
vault system across the enterprise rather than deploy solutions which
are local. Some of the commercial vault solutions give the
functionality of changing passwords either after every use or specified
time period. Personnel who need priviliged access can use the vault to
reterive the password, do about doing their work and once the time
expires/password used, it is changed by the vault on the target system.
Tajeshwar
Consultant
HCL
Print
I have experienced that there is a
bank requiring user changing every system account once per month. If
you were the user, what will you consider to make it more easier to
memorize? A solutions is to writing them down on the paper and put it
in their wallet.Sometimes,policy
and standard made too much restrictions on user especially we could
apply those rules based on system classification on their criticality.
For more positive side, I do suggest two-factor authentication,
however, in a corporate, there are numerous and heterogenous systems,
it is a question to integrate them, especially the cost of this kind of
implementation is still high. Again,
for cost effectiveness, applying rules based on system criticality and
educating the users may make users and employers live easier.
Anthony, Cheuk Tung, LAI
Chapter Leader
OWASP (Hong Kong Chapter)
Email
Print
where does the
future of biometrics stands these days and are they accessible from the
market- cost effective security countermeasures is the key word.
Siphilangaye C. Matsenjwa
Mr.
Central Bank of Swaziland
Email
Print
Other
than biometrics, all authentication solutions commonly used rely on
passwords, either totally, or in part. Even PKI and two-factor.Locking
accounts after a threshold of failed attempts, couple dwith password
change prriods, are the simplest and most cost effective ways to defeat
dictionary attacks. Nothing
will stop misuse of a compromised password, other than perhaps physical
security - not even two-factor or PKI - regardless of how to compromise
occurs. Although I personally dread it, biometrics is the 'only' next step in user authentication. Lyal
Lyal Collins
CSO
Email
Print
I've
used GnuKeyRing for 3 years at least. It is quite handy. Better to
remember one long PW than having a handful that anyone can guess.Also good for storing private information such as kids SSNs and school info. Derek Crager
http://Crager-Bartels.com/answers.html
Derek Crager
Realtor
Crager-Bartels.com
Email
Print
| 
