July 2, 2010
By: Sixto Ortiz Jr.
Even though technology has changed by leaps and bounds since the dawn of the computer age, the humble password continues to endure as a cornerstone of computer system security. There are very few systems or applications today, if any, that don’t feature the use of passwords as a means to verify identity and provide protection from unauthorized access.
But, even though passwords are such a critical element of the computing security arsenal, the fact is many users unwittingly compromise their personal and work security by neglecting to practice sound password management techniques. Read on to learn more about effective techniques for improving user passwords and buttressing the security of critical business systems.
Make it Tough to Crack
This may seem hopelessly obvious, but it merits repeating: Users who choose strong, cryptic passwords are much less likely to have their security compromised than those who simply choose their first name followed by a couple of numbers (such as the year of their birth) or some other convenient and easy-to-remember character sequence. In fact, the best passwords feature long sequences of random characters.
With today’s computers, passwords that are eight characters or less are breakable by brute force in a few hours, says Slavik Markovich, chief technology officer at Sentrigo, now a part of McAfee. So, a strong password must feature at least eight random characters, preferably more. But, herein lies the nature of the eternal password conflict: How can users be expected to constantly memorize long strings of random characters?
Markovich recommends that users create passwords using phrases from favorite books. For example, the phrase “one ring to rule them all, one ring to find them” can be used to construct the password “oR2rta0r2ft.” The key is to use something that is familiar and understood to create something random and difficult to crack via a brute force attack.
An overwhelming aspect of password security for many users is the simple fact that nowadays, just about every application, Web site, or system a user needs access to requires some sort of password. Long gone are the days when enterprise users only had to remember three or four passwords; now, it is not at all uncommon to find even casual computer users juggling numerous passwords. Thankfully, there are a number of technologies that can ease the password burden for enterprise users.
An example of these technologies is SSO (single sign-on). With SSO, users are required to create and remember only one password that is then used to grant access to whatever systems they need access to. A key advantage to this approach, says Phara McLachlan, CEO of Animus Solutions , is it limits the number of passwords users have to remember.
Another approach is via the use of password managers, says Owen Rubin, a private security specialist. These are applications that generate random secure passwords and then lock them in an encrypted file that is protected via a password set up by the user. Thus, users can generate as many strong passwords as needed yet only need to keep up with one password.
Other technological solutions include the use of single user repository stores—such as Active Directory—for password management and two-factor secure ID authentication, McLachlan says.
James Litton, CEO of Identity Automation , says administrators must require strong passwords and enforce their use throughout the organization using technology. Users, Litton says, must be educated to understand the fact that “strong” does not have to mean “hard.” Administrators should encourage users to use words that mean something to them—but not the names of family members or pets—and use a technique to replace certain letters with symbols or numbers so the user can more easily remember the password, he adds.
The key, Litton says, is to find a technique for generating passwords and stick to it. For example, a user may always capitalize the first or last letter of a word, or choose to always capitalize the vowels. Litton also recommends that administrators encourage users to treat passwords like they treat their underwear: change them often and don’t leave them lying around. Even though there is plenty of debate over the effectiveness of requiring regular password changes, administrators must require that users regularly change passwords. This is effective because change will thwart the efforts of an intruder who has gained access to a compromised system, Litton says.
Deny the Defaults
Many applications automatically create accounts during their installation process, and in some cases provide default passwords, Markovich says. In their haste to quickly deploy a system, he adds, administrators will often accept these defaults, leaving the door wide open for anyone with experience installing these tools to gain access to a system using the default username/password combination.
So, policies should be in place that explicitly prohibit the use of these defaults during system installation, Markovich says. And, he adds, vulnerability scanners should be used to test the underlying databases of critical applications for default accounts.
Even then, critical applications may not be entirely safe. Even though some applications require that administrators define a minimum password length and require the use of numbers, special characters, or mixed cases, many do not. Markovich recommends that vulnerability assessments be run regularly for applications that are used to store sensitive data and don’t force the use of strong passwords, so weak passwords that are vulnerable to compromise using dictionary-based and brute-force techniques can be identified and corrected.