Member Article

Top 5 tips on passwords

Simon Denman, marketing director, at NETASQ, gives his top 5 tips for password efficiency.

Just in the past few days another password breach has affected one of the biggest cloud storage devices available, Dropbox – who recently admitted spammers managed to get hold of its users’ email addresses and passwords to send out spam. Only a few weeks ago, 6 million passwords were stolen from LinkedIn.

Today, the most popular recommendation for password security is asking users to change their passwords every 60 or 90 days. But the response received is usually pretty acerbic, given that users tend to memorise their password over time and find it difficult to have to then repeatedly change them – whilst finding it increasingly difficult to find words/number combinations that are easy to remember.

But is forcing a password change the only effective measure? This is hot topic for debate within the information security community, and the answer isn’t so clear-cut.

What is the purpose of a 90-day period?

The aim of an authenticated access is to ensure that only the authorised person can access a particular resource. The purpose of changing a user’s password every 90 days is to restrict the opportunity for identity spoofing. This duration can sometimes be justified by the time it takes to guess a password by working backwards from its hash. The top 30 passwords found in LinkedIn’s database show that unfortunately, it probably takes a well-developed program, mere minutes to obtain access. Furthermore, the user, cornered into modifying his password against his will, will end up creating counter-measures: choosing passwords that are indeed easier to memorise, or worse, writing them on physical media, the notorious “post-it effect”. So while imposing the regular change of passwords may create an illusion of security, it could actually increase risk, especially if it’s the only measure being taken.

With this in mind, are we justified in concluding that Chief Security Officers (CSO) are sadists whose sole objective is to take revenge on users who just don’t get it? Afterall, this quick-fix approach is found in several security recommendations, especially ITIL and PCI DSS (requirement 8.5.9). Actually, this measure is often at the top of the pyramid with regard to password management needs, but it is only beneficial alongside other actions.

1. It’s hard to see how security is being improved, if a user can use “password1”, then “password2”, and so on every quarter, just by incrementing the number at the end of the password. Therefore, in order for this to be a successful methodology, a minimum password strength from users must be guaranteed.

This can be done by:

? Imposing a change of the default password from the first time it is used

? Prohibiting short passwords: a minimum of 10 characters

? Imposing character diversity to improve entropy: uppercase and lowercase letters, numbers and special characters have to be used

2. A good preventive measure to take is to regularly test the password database by launching a dictionary attack. You will then be able to warn users and help them to strengthen their passwords.

3. You must also ensure that password storage is not the weak link in your network’s security. Storing passwords in plaintext, the way Sony did<http://[dazzlepod.com/sony/](http://dazzlepod.com/sony/? target=)> , is a blatant example of negligence. If you have just one password database in plaintext, securing it has to be your number one priority. Your company’s reputation is at stake.

4. Adapt your response. ?The danger of the global approach is that it neglects a fundamental principle – you must adapt the level of security to the importance of the data. If a user is accessing sensitive data, you will probably need an authentication method stronger than just a password. Double authentication, biometrics or the use of authentication tokens have become accessible to all and should be part of your strategy. By strengthening access to sensitive resources, you can also be more flexible with your password policy, thereby limiting the risk and frustration for users. ?Posing a few simple questions can get you on the right track as to the areas for improvement:

? Is the password policy the same for a service provider as it is for the company’s president?

? Is the Active Directory password the same as the mail system password, accessible by web mail, or even from a telephone?

? What are the password restrictions for Cloud services? (Salesforce.com for example) Can they be the same as your internal passwords?

? Which accounts are shared and who has access to them?

Your shared account management procedure has to be drastic, especially when an employee leaves the company. Likewise, accounts with different types of exposure, such as the mail system and access to the company’s accounting data, will need different secret keys.

5. Explain, explain, and explain again. Unfortunately, the Pandora’s box of password management is full of surprises. There is no telling when a user who has had a hard time remembering the password you have imposed will use it on his “free downloads” website. ?So, before setting up a restrictive password policy, you will need to setup a communication plan. Without going so far as to provide you with a framework, taking notes beforehand and organising an information-gathering session for each department or for each level of sensitivity should allow users to better understand the stakes. You could for example:

· Use recent incidents as an example (Dropbox, LinkedIn, Sony, Lastfm, etc.), and highlight in particular the weakness of the passwords found in these databases

· Explain the basis of a password’s strength and test it

· Cite common errors: birthdates, words that can be found in a dictionary or any public information than can easily be accessed (Facebook profile for example)

· Indicate one or several methods for generating strong passwords: keeping in mind that the aim is also to facilitate memorisation

· Recommend password management tools (1password, KeePass, etc.)

· Invest in safer elements for your sensitive accounts.

To change or not to change? If all best practices were followed to the letter, regularly changing a password would also enhance security as it would attract attention to its importance and over time, limits risks relating to information leaks. However, applying this restriction is appropriate only to users who access sensitive data and who are themselves able to understand the reasons behind this restriction. ? To conclude, based on our knowledge and experience, here is our advice on a simple method to create a password.

? Pick a memorable phrase. E.g. “Too much of anything - and this applies to passwords as well - is not good for you!”
? First letter of each word, capitalise for nouns or verbs: TmOaAtAtPaWiNgFy!
? Replace characters: too / to with 2, for with 4 “2mOaAtA2PaWiNg4y!”

And finally, do be careful however, as someday a dictionary attack on this technique just might see the light of day, so avoid using quotations that are too well-known.?

This was posted in Bdaily's Members' News section by Simon Denman .