The biggest problems with passwords are that they are easily forgotten, easily learned by others and often easily guessed.
Unless proper precautions are taken, password security is easily broken. In the early 1980s film War Games, a teenage hacker broke into a computer that controlled the U.S. missile defense system. Although the film was fiction, the techniques used are common. In the film, two programs were used—one to dial phone numbers and locate modem tones, and another to repeatedly try commonly used login names and passwords. With everything you want connected to the internet, you no longer need a war dialer. Brute force attack tools are easily available on the web and also easy to write.
Unless proper precautions are taken, password security is easily broken. In the early 1980s film War Games, a teenage hacker broke into a computer that controlled the U.S. missile defense system. Although the film was fiction, the techniques used are common. In the film, two programs were used—one to dial phone numbers and locate modem tones, and another to repeatedly try commonly used login names and passwords. With everything you want connected to the internet, you no longer need a war dialer. Brute force attack tools are easily available on the web and also easy to write.
Things are not as hopeless as they seem, however. There are several methods that can be used to increase password security on a network.
Easy-to-Guess Passwords. To prevent passwords from being easy to guess, they should not contain:
¦ Any portion of the user's name
¦ Any portion of a family member's name
¦ The name of the user's pet or make or model of his or her car
¦ Any keyword of the user's job or function, like "entry" or "finance"
¦ Any known interest of the user, like "bicycles" or "49ers"
Forced Password Changes. Many network operating systems allow you to force users to change their passwords periodically. The major benefit of this is that if one user learns another user's password, it will only be valid for a certain period of time, limiting the exposure to security breaches. On the downside, when people are forced to change their passwords they often forget them or write them down. When they write them down, they usually do so in a place that is easy to locate, such as a piece of paper in the top desk drawer, or taped to the front or side of their monitor!
If you are going to implement forced password changes, make sure that you keep the time periods reasonable. (Two days is probably too short, and two years is definitely too long!) Thirty days is probably a minimum, and 60 or 90 days is probably more reasonable in most circumstances.
Non-Dictionary Words. In his book, The Cuckoo's Egg (Pocket Books), Cliff Stoll recounts the story of a West German hacker who was breaking into U.S. Government computers and selling information to the Soviet Union. One of the methods he used for breaking into systems was to download a system's encrypted password file, then compare its contents with an encrypted English-language dictionary. If a user's password was in the dictionary, the cracker had access to that user's account. Although not all operating systems make it so easy to access their password files, it is still a good idea to have users avoid passwords that are in the dictionary.
Non-Alpha Characters. One easy way to create passwords that are difficult to guess, easy to remember and long enough to be difficult to break is to use two short words separated by a non-alpha character. Here are some examples:
WHAT?FOR
CLUB$T1E
GOOD%FRIEND
CROSS#$TICK
Most systems now offer methods for enforcing password complexity that can look at a user’s password on creation and ensure that they meet certain rules like: having both upper and lower case letters; including at least one numeric digit; and requiring the use of at least one special character like $ or % in their passwords.
Setting a Minimum Password Length. Passwords that are too short are easy to break, while passwords that are too long are difficult to remember. Obviously, then, passwords should be short enough to remember but long enough to be difficult to break. There are a couple of factors you should consider here, however. If you have implemented forced periodic password changes, you may want a shorter minimum password length. If you use the two short words and a non-alpha character approach, you might be able to get away with a longer minimum. In any case, a minimum length between eight and twelve characters should suffice in most circumstances.
Password Encryption. There are two types of password encryption: passwords can be stored in encrypted format, and they can be encrypted across the wire. Both are important. When passwords are stored in encrypted format they are not readable by anyone, even a system administrator (see Non-Dictionary Words, above). This allows a user to use the same password on different systems without fear that the administrator from one system will learn the user's password on another system. Across-the-wire encryption means that the password is encrypted during the login process before it is sent across the network to a server or host. This prevents someone with a protocol analyzer from intercepting a user's password. Most network operating systems support both methods of encryption.
Supervisor-Level Passwords. If you have more than one user who needs supervisor-level access to a file server, give them each a supervisor-level account rather than having them share a supervisor password. These accounts should also be separate accounts from their day to day login accounts for email. This will give you a better audit trail and also makes it easier to change rights or a password for one person without affecting the others.
Written Password Policies. If you don't have a written password policy, you might consider implementing one. It should discuss the importance of maintaining the confidentiality of passwords and provide guidelines for selecting passwords.
No comments:
Post a Comment