For more information on password policies and related aspects of network security, see Chapter 7 of my book, Scene of the Cybercrime (Syngress Publishing)
Most computer and network operating systems today provide measures for securing access to data, applications and the operating system itself by granting permissions and user rights based on the user account that is logged onto the machine or network. In most cases, the key security mechanism is a password – a combination of characters that the user enters along with his/her account name to verify to the operating system that the associated account really belongs to the person who is using it to log on.
The password, then, functions like the key to a lock; anyone who has it can get it. This means the password can easily become the weak link in a company’s network security plan, because passwords can be “cracked,” guessed, stolen or deliberately shared. It is important for individual users to safeguard their passwords and for organizations to educate users regarding best password practices and to develop policies that mandate that such practices be followed.
In this article, we will discuss how passwords work, why and how passwords are vulnerable, how to create more secure passwords, how to create effective password policies, and some alternatives to password-only authentication for high security environments.
How Passwords Work
The basic concept of “locking” an account with a password is simple. When a user account is created, a password is assigned to it, usually by the administrator. The user uses this password to log on for the first time. The user is typically (although not always) given the ability to change the password so that only the user will know it. Depending on the type of user account (local account that can only log onto the computer or network account – called a domain account on Microsoft networks – that logs onto the network for access to resources on other machines), a database is stored either on the local hard disk or on an authentication server (which Microsoft calls a domain controller). The database contains a list of all user accounts and their corresponding passwords. When a user logs on and enters the credentials, they are checked against this database. If the password matches, access is granted. Generally, the passwords in the database will be encrypted to protect them, using a technique called hashing. It is the hash value that the password is checked against, so that the passwords stored in the database never have to be decrypted (and thus exposed to potential hackers).
Entering the user name and password every time a user wants to access a different resource on the computer or network would be cumbersome, so the authentication process is made transparent to the user after the initial logon. This is much more convenient, but it means that if you log on and then leave your computer without locking it (for example, with a password protected screensaver), anyone who sits down at it will be able to access any resources for which your account has permission, because you have in effect unlocked the door and left it open.
Even if you are diligent about this, however, there are many ways in which the password authentication system can be breached.
The big vulnerability of passwords lies in their nature. There are several different ways that a person can “prove” his/her identity:
Providing something they know (the password)
Providing something they have in their possession (such as a card)
Providing something they are (a physiological characteristic such as a fingerprint)
Providing something they do (such as speaking for voice pattern analysis)
Because the password is something you know, that knowledge can be gained in different ways. Unlike with a key to a lock, which is a physical object, an intruder doesn’t have to take the password away from its owner in order to have it himself. Instead, he can get it in one of several ways (without the owner ever knowing). For example:
Exploitation of weak passwords: Left to their own devices, users often choose “easy” passwords – ones that they can remember without much trouble. This means they use a word, phrase or number that has special meaning to them, such as their spouse’s name, their birthday or social security number. An intruder who knows something about the user may be able to guess the password. Use of any word that is in the dictionary creates vulnerability, because “brute force” methods (trying one password after another until you hit the right one) and “dictionary” attacks can crack them.
Exploitation of user behavior: If the password is more complex and non-intuitive (a random combination of letters and numbers), the user may have trouble remembering it, and this may lead to writing it down – often keeping it in a prominent place such as the top desk drawer or even on a sticky note stuck to the monitor. Users may also share their passwords with other users in an informal work environment. Even when users exercise reasonable diligence, hackers can often use “social engineering” to persuade users to divulge their passwords by posing as tech support or administrative staff.
Capture of credentials in transit: Even when strong passwords are used and users keep the passwords to themselves, savvy intruders may be able to capture the credentials when they are sent across the network if sufficient security measures aren’t in place to prevent this.
Because there are so many ways for an unauthorized person with a little technical knowledge and/or people skill to learn the passwords of legitimate users, it is very important that organizations launch a multi-faceted defense against password breach. That begins with mandating that only secure passwords be used.
Creating Secure Passwords
Creating passwords that are relatively secure involves mandating password length and complexity (the longer the password, and the more different types of characters – letters, numbers, symbols, upper and lower case – the better). Another consideration is mandating that passwords be changed regularly; the older a password is, the more chance that it has become known to someone other than its owner.
In general, the following guidelines should be followed in creating passwords:
Make the password long enough so it’s difficult to guess, but short enough so the owner can remember it (8-10 characters for regular users, with longer passwords for users with administrative privileges)
Don’t use words that are in the dictionary.
Mix upper and lower case alphabetic characters, numbers, and symbols in the password.
Don’t use the same password or the same two or three passwords over and over when it’s time to change passwords.
Note: you might want to check out the password generator http://www.winguides.com/security/password.php
Creating secure passwords is only the first step. Policies must be put in place to control user behavior; that is, prohibiting sharing of passwords with anyone else, mandating regular password changes, etc. As with all policies, it is imperative that the policies not only be put into writing, but that they be disseminated to all those who will use the network, and that users be required to sign a form verifying that they received and read the policies, and that the policies be enforced.
Administrative Policies vs. User Policies
Some of the policies you develop can be enforced through the operating system or third party software. For example, on a Windows 2000 network you can set group policy (In the group policy editor for the GPO, select Computer Configuration | Windows Settings | Security Settings | Account Policies | Password Policies) to allow only passwords of a specified minimum length or to force the operating system to remember the user’s password history and not allow setting a password that has been used in the recent past. This means you don’t have to rely on users to comply with the rules – if they try to set a password that doesn’t meet your requirements, the system will reject it.
In other cases, you will have to enforce policies (such as that prohibiting writing down the password) through standard disciplinary channels.
Administrators can also increase the security provided by password authentication by setting the system to lock out a user account if a specified number of failed logon attempts are made. Because it is unlikely that a legitimate user would mistype his/her password several times in a row, multiple failed attempts often indicates that someone is trying to guess the password.
It is also useful to enable security auditing and have the system write an event to the Security log when failed logon attempts are made. This way, you can determine when the attempts are occurring.
Alternative and Additional Authentication Methods
When good policies are in place, password authentication can do an adequate job of protecting resources in a low or medium security environment. However, if the data on your computer or network is especially sensitive, your organization should consider supplementing password authentication with some other authentication method.
Smart card authentication is supported by Windows 2000/XP out of the box, and provides an extra layer of security because not only must the user provide something he/she knows to log on (in this case, a Personal Identification Number or PIN) but must also provide a physical object – the card itself. A smart card is a credit card sized plastic card with an embedded chip that can hold a digital certificate so user authentication is accomplished through a public key infrastructure. A smart card reader (a hardware device) is required, through which the card is swiped.
Another even more secure option is to use biometric authentication. This requires hardware and software capable of scanning and analyzing a fingerprint, handprint, retinal image, or other unique physiological characteristic. Although the equipment is somewhat expensive and the software is not yet perfected, biometric authentication has the potential to be the most secure way of verifying that a person is who he claims to be. Today’s biometric devices aren’t foolproof, however.
Despite the existence of more secure methods of authenticating users, including smart cards and biometrics, password authentication continues to be the most common means in use. Thus it is important for organizations to recognize the vulnerabilities to which passwords are subjected, and develop strong policies governing the creation and use of passwords to ensure that those vulnerabilities aren’t exploited.