As I have already mentioned, I have worked for a variety of different companies. Each one has had their own policy on account passwords and those policies have been as varied as the companies themselves. Most have not been very secure at all.
One good example of this always comes to mind when I talk to people about account passwords. About 14 years ago I worked for (contracted with) a well known company in Ohio, that also happens to have one of the largest repositories of legal information in the world. My position within the company was along the lines of desktop support where we would get assigned support tickets to fix users problems. Our performance was based mostly off volume completed and the time each support ticket was open.
Invariably there would be times where I would arrive at a user's desk to fix some problem, only to discover they had left for an extended lunch (Executives were great for this) or had taken a few days off from work. As luck would have it, it was also extremely likely that the support ticket had something to do with the user's profile on their computer (a "profile" is all the settings on a computer that pertain to that particular person, such as the wallpaper or screensaver they have chosen). This meant that without being on the computer as that user, the problem could not be fixed, the ticket would remain open, our (my) performance level would go down (kind of a crappy way to do things, but it was what it was), and if cuts came, well you know the story.
To solve this problem I would immediately turn the keyboard over and look for a little piece of paper taped to the bottom of it containing the user account password. About 50% of the time, it was there. The little pull out writing tables that are part of some desks were another great place to look. And when all else failed I would open their picture frames on their desk and find their children's names. I had about a 90% success rate in getting into the computer as the user. Pitiful.
Nowadays I would verbally reprimand myself for doing that. I would write-up (or outright fire) the user. My, how times have changed. Except they haven't. I no longer "hack" into user accounts in this manner, but far too often those user passwords are still written down someplace on that desk. The excuses are always the same, "I have too many passwords to remember" or "IT makes me have too difficult of a password to remember." Well, I have a solution.
The first part is to forget about passwords. Passwords suck. Passwords are like relatives you have to visit, but go into convulsions at the sight of. Passwords are so 1990s. For you retro-people, that is not a good thing. Instead of passwords, passphrases are the way to go. It is one of those new industry best practices, and it is a smart one.
A password is a bunch of letters and numbers thrown together to let you log onto the computer. In order to increase security, IT departments have required that passwords be a set minimum length and contain a certain level of complexity (usually something like it must contain one uppercase letter, one lowercase letter and one number or other symbol. Sound familiar?). Users write these down. Passwords are bad.
A passphrase is a phrase or sentence that is easy to remember. Passphrases are easy to create that will meet any level of complexity requirements. Users do not need to write down passphrases. Passphrases are good.
Here's an example of the difference between a password and passphrase. For this example let us say that the "password" must be at least 10 characters long, contain at least one uppercase character, one lowercase character, one number and one symbol. Relatively complex and difficult to brute force (brute forcing is throwing characters at a password until the right combination is obtained, more on that in a minute).
For our password we have: Id10t.Error
For our passphrase we have: Mydaughteris17yearsold.
Which is easier to remember? The first one has 11 total characters, the second 23 characters; yet the second would be easier to remember for any parent. Heck, a lot of systems will even allow you to use spaces as characters, thus making the passphrase much the same as typing a sentence. The second is also more difficult to brute force attack due to the increased length, and given such a huge range of possible passphrases that a person might pick, pretty much impossible to simply guess.
Now a word on cracking passwords. There are a few methods for getting a password, the most common is for the user to tell you; either directly or by writing the password down. Flat out guessing, or making educated guesses is the second in the list of most common and easiest. Lastly comes cracking the password (there are other methods, but these are the most common). This is generally done using brute force attacks, so named because it is similar to a physical brute force attack in that a would-be hacker just continues to pound away at the possibilities until security falls away. A variation (although some consider it completely different) on brute force attacks is the use of dictionary files, where entire words are thrown at a password, alone or in combination. Still qualifies as a brute force attack in my opinion.
Brute force attacks are generally done using specialized programs that allow the hacker to set a few parameters, such as minimum password length, and the program does the rest. Character by character these password crackers plug-in sequential combinations of letters and numbers until a successful password attempt is achieved (aaaaaa, aaaaab, aaaaac, etc). These attacks take time, based on the possibilities for a given password. The more confined the password requirements are, the less time a brute force attack will take. The fewer characters in a password, the less time an attack will take. The fewer types of characters in a password, the less time an attack will take. Using dictionary files instead of strictly sequential attempts also reduces the attack time. And to top it off, each year computers get faster and faster, allowing more password attempts to occur over a given period of time, and thus, the less time an attack will take.
After touting passphrases over passwords I present the doom and gloom. Bad, bad Andrew. There is good news though, I promise. The first piece of good news is that if you read back you will see that brute force attacks are third on my list of methods for gaining someone's password. That means that the other two items are far more likely. Using complex (containing numbers and letters with a minimum set length and no, or very high, maximum length) passphrases over passwords greatly reduces the likelihood of a person ever guessing a password. Passphrases, as mentioned, also increase the likelihood of a user remembering their password, and as such greatly reduce the likelihood of someone finding it written down.
That leaves one further part from the list of the three methods: telling people your password. Don't do it. Not ever. Never ever. Your passphrase is yours and yours alone. Do not, under any circumstance, tell anyone your passphrase. Not your spouse, not your manager, not the CEO of the company, and especially not someone from IT. People always try to tell me their passwords. I make loud noises and cover my ears until they stop, and then proceed to tell them that they are trying to do something bad. No one, let me repeat, no one
needs your password but you. In the unlikely event that someone someplace needs to access your account, IT can reset your password. The glory of this is that it creates a paper trail showing that someone changed your password, and you will know it has been changed.
Returning to the doom and gloom of brute force attacks, there is more good news. A big help with stopping these attacks is in changing your passphrase on a fairly regular basis, at least once every 60 days, preferably 30. On that note, when you change your passphrase you should not use the same one you have used previously. At least not for a year or two. The reason? In the event that a passphrase is compromised (meaning you told someone who called up and said they were from IT), it is only good for a certain period of time. Then poof, it is a new password. This also hurts brute force attacks, because if they get a password and it is changed, they have to start all over again. IT personnel should set these options in their systems to force regular password changes to occur.
The last note on passphrases is for the IT persons out there: set an automatic failed attempt lock-out. Huh? Almost all systems that use passwords have a setting that will lock out a user account if the wrong password is entered X number of times within a given time period. You can even set the lock-out to expire after X period of time automatically on many systems. A good setting level is to have automatic one hour account lock-out after 3 failed attempts. This effectively reduces the success level for any brute force attack to 0, because three attempts in an hour will take many, many lifetimes.
To sum things up, here is the simplified version of all the junk above. Learn it. Live it. Love it.
1. Use passphrases instead of passwords.
2. Ensure your passphrases contain both upper and lower case characters, as well as numbers. Symbols are also good.
3. Never write your passphrase down anywhere.
4. Never tell anyone your passphrase.
5. Change your passphrase at least once every two months, preferably once a month.
6. Do not reuse a passphrase for at least a year.
7. For IT: Automatic account lock-outs are your friend.
There. You have your 20 minutes of security work for the week. And it didn't even cost you a dime, imagine that. Next up we'll move out to the network perimeter and start working our way in. Stay tuned for Part 3 - Firewalls. Until then, be safe.