Passwords – no longer Passe

A while back, I blogged about passe passwords. Well, just when you think they are so "five minutes ago" there seems to be a resurgence. Last Thursday, the Wall Street Journal published a front page article on passwords that basically complained about them but highlighted the idea that Sarbanes-Oxley "requires" them (although they rightly point out that SarbOx does no such thing).

An excerpt:

How does the 28-year-old monitor of drug trials remember her passwords? Easy: They’re written on a blue Post-It note affixed to her computer.

Ms. Prior knows that her display threatens to undermine the very security that passwords are supposed to promote. "The IT people yell at me," she says, referring to her company’s information-technology staff. But she prefers the occasional scolding to the alternative: forgetting a password, guessing incorrectly three times, and then having to call for help.

A very instructive piece that highlights the problem – the more secure we make one potential hole, the more likely another one will open up. Still, I prefer yellow stickies to very weak passwords, but we’re talking about a sieve here.

Another piece in the Dallas-Fort Worth Star (archived at http://seclists.org/lists/isn/2004/Dec/0035.html) says that password security is too hard on users then gives recommendations on being hard… or something. Even the article is torn between whether it is worth it.

In that previous blog posting, I talked about three different threats to consider related to the password issue. I have since grown that list to seven. Here are the seven, with commentary where needed:

  1. Social engineering end user – whether automated, through phishing, or using tried and true "I am from IT and need your password" phone call, users can be tricked. The best way to combat this problem: security awareness training and single sign-on that includes a personal application (like 401k).
  2. Social engineering help desk / tech support – the old irate user is often good enough to scare a password reset out of an entry-level temp working on a weekend. Prevent against this using automated reset tools and identity validation, as well as security awareness for the help desk.
  3. Password sharing/stealing – those yellow stickies, people helping each other out while on vacation, and other sharing techniques. Protect against this problem using similar techniques to number 1.
  4. Password guessing / brute force attacks – for some reason, this is the focal point for our energy regarding passwords. Certainly a risk, but I wouldn’t pick it as the top compromise technique. For that, I would probably pick help desk social engineering (or insider stealing from the help desk). This item also includes default password attacks.
  5. Password sniffing – requires access to the network path, origin, or destination point of the login procedure. Keystroke loggers are much more common now than they have been in the past, so this risk is higher on end user clients than it is being intercepted across the wire. Another open attack point is the public wireless access point, where it is much more likely that you could steal the ID and password.
  6. Compromise the password database. Windows used to make it pretty easy to grab the sam file and take as much time as you needed to crack the passwords within it. (Not sure how hard it is anymore). This technique brings the biggest prize with it. An extension of this technique, used to compromise credit card numbers, is the most common Internet-based attack against websites, and the reason for regulations like SB 1386 in California and many privacy regulations. Protect against this with stronger encryption and better access controls.
  7. Compromise the system on which the passwords reside. Simply attacking the platform may result in access to the passwords. Protect against this with a hardened platform.

Finally, general monitoring, auditing, etc. is an excellent way to protect your enterprise against this problem.