IAM – Passwords

The key point here is that passwords are expensive.  Does their expense provide sufficient protection?  An odd question since passwords are by far the most common credential that is used for authentication.

When I say they are expensive I mean for both the individual and for the organization.  For the individual their is a cost to managing their passwords.  A good password can be difficult to remember and good password practices mean that you will use different passwords for every separate user id you register for and you will change them on a regular basis.  The cost in time, effort and tracking to do that properly is one that most folks are not willing to invest.

For the organization the cost is in troubleshooting – education on good password policies, enforcing good passwords and resetting password that have been forgotten.

Good Passwords

So the goal of the password is to first make it very difficult to guess and second to make it too expensive to guess via brute force.  The best passwords are literally random strings using all available characters.  The longer such a string is the harder it is to crack.

But truly random strings are impossible to create and unlikely that a person will create them by hand. So we drop down to the next best thing.  We try and break the relationship between one character and the next.  We can measure this by coming up with methods to calculte the entropy of a string.

For instance, you can make password rules and assign each of them an entropy value – using a mix of upper case, lower case, numerals and special characters increases entropy.  Requiring that the password pass some criteria like not be equivalent to a dictionary word or contain information also in your credential or profile.  And we can make a rule for how much the length of a password contributes to its entropy.

Next we have to remember that no password in unbreakable.  Given an persistent attack an enough time even truly random permutations can eventually be guessed.  So finally we use our entropy measurement to put a determination of how frequently the password should be changed to a completely different string.

Practically what does this mean?  Well, getting a password generator is a good idea.  Let a good algorithm generate you password to try and get close to randomness.

I like to use KeePass.  In addition to generating passwords it can also store them and make them easy to use. Keepass Download

But you’ll still need some passwords outside of your password manager.  Like you password to access your desktop and you password manager.  Some ideas are to use a pass phrase instead of a password.  Or use this trick.

1) Choose a sentence of 8 – 12 words – Like ‘Todd is an incredibly suave, knowledgeable and witty dude.”

2) Break it down into its first letters: TIAISKAWD

3) Mix up the case and add some special characters and numerals: T1ai$KaWd

That should be fairly tricky to guess, but not too hard to remember provided your original sentence is straightforward. 🙂

Next whether you are required to or not, change your password on a regular basis.  And use different passwords for different purposes so that if one gets compromised you aren’t at such a high risk.  if you ignore everything else, please at least use different passwords for facebook and your banking.  It is only a matter of time before facebook exports your credentials to other apps.  Oh wait, they’ve already done that!

Password Management

First, education is paramount.  Your users will hate passwords.  They will use the worst, easiest to remember passwords they can get away with.  They will write them down.  They will share them with their co-workers, spouses and pets.  They will put them in e-mails and IMs and send them through your network.  When they change them, they will try and use the same password again with a tiny modification.

Next educate your support desk and operational staff.  They must never ask for a password.  And when it is offered to them they need to stop the user before they say it.

Deploy a user self service tool to allow users to reset their own passwords.  When a user calls the Service Desk to get their password reset, ask them why they aren’t using the tool.  Improve the tool so it actually gets used.

Spend time thinking about how you will authenticate a user when they call to get their password reset.  The usual method is a question and answer dialogue.   These suck for a number of reasons:

  1. If someone has social engineered a password out of your user, they can probably do the same with their answers to the script.
  2. The answers are far easier to guess than a password.  They are usually words with a very low entropy.
  3. A user can just as easily forget their answers.  So you still need anther backup method.

Consider other methods as well.  Transmit a one time password to their e-mail (with a short time-out).  Call their voice mail and leave the new password there – their voice mail password is then an authentication method.  Use SD known private information about the user such as an employeeID, or commencement date, etc.  Get someone who is able to authenticate to vouch for them – like a supervisor.

Determine if you want to use a password lockout scheme.  Remember this guarantees a service desk call.  It is better to not use one.  You will then need another method of determining if your passwords are being attacked.

Deploy a password management app like KeePass.  You can’t stop them from using sticky notes, but if they have a good alternative, they will use sticky notes less.

Ensure that all passwords get changed on a regular basis.  This includes service accounts and privileged accounts – especially those.  Note the cost of changing such passwords can be high.

Ensure the passwords are stored so that even your admins can’t read them.  Normally this means a one-way hash function.  If your admins want to crack passwords make them work for it.  They are more likely to leave an audit trail that way.

Don’t use shared accounts.  A secret isn’t a secret anymore once two people are in on it.

Remember your entire system is only as strong as the weakest password.  Design your applications and infrastructure accordingly.  Separate roles using authorization and limit severely the number of privileged IDs.

If you don’t have any other backup strategy at least have a tested plan for restoring passwords.  Corrupting your password store can be very bad.

Why Passwords Suck

You will always have a constant trade off between the strength of your passwords and the cost to maintain them.  If they are strong then either users will forget them or write them down.

Remember that your users will always use the worst passwords they can get away with.  If password1 is a valid password on your system, someone is using it today.

Regardless of your password policy, they will remain vulnerable to social engineering and phishing.  Even the most savvy user can get phished… cf Tech Commentator gets Phished

So consider using other authentication methods as well.  Maybe we can talk about those another time.


5 thoughts on “IAM – Passwords

  1. Dano says:

    Talk about these ‘Security Images’. I have several things that require I pick a security image on login. The problem I see is that there are 4 pages of images but they only show one page when I login with my image always on the first page . . and they change. It would not take long for a hacker to eliminate the non-repeaters.

    • I’ve never run across those.

      I don’t think you are talking about captcha images – these are only intended to prevent bots from registering and making comments.

      You are right – they would not prevent an attacker at all – based on your description. With monitoring in place, you could spot someone making repeated tries.

      But I’d be concerned that the entropy is just too low. Someone has a very good chance of just guessing right on their first try. How many picture on a page? I’m guessing maybe 25? 100 tops? A two character password has more entropy.

      • Dano says:

        Like a dozen per page! After the password, I get a ‘welcome phrase’ then the pictures. I think the welcome phrase is to prevent phishing, but I’ve never got the picture thing. Next time I’m over I will log into my bank on your computer just to show you. Ohhh how about I post my user name and password here and you can just check yourself 🙂 (the stupid things people do).

  2. […] did a post on password management before.  It is one specific attribute of user and some resource objects.  It an be thought of as a […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s