I taught a security class in Huntsville, AL last week and we were discussing the issue of password management. One of the easiest things you can do to improve security is educate users on proper password management. I know it’s not the sexiest topic in the world, but it’s still worth reading about.
From what I’ve seen, most companies approach password policies with little thought to enabling both usability and security. Some are extremely lenient with their password policies. Others dictate a stringent set of rules to employees. Companies with users who are customers rather than employees often have their hand forced and are unable to implement any type of real security. Fixing the issues that arise from these situations is so simple it hurts. Educate the users…
A good example of educating users is Microsoft’s Passport Service. For those of you who have a Passport account (isn’t that everyone by now), go and try to change your password (you don’t actually have to, just go through the motions and cancel it at the end if you want). Notice how it identifies the strength of the password being used (weak, medium, and strong). It also gives the user the option to expire their password after 72 days. I would have liked for them to go a few steps further, but give credit where credit is due. This is a great, simple feature to implement.
How could they have gone further? For starters, explain what a strong password is and the need for it. Most users don’t understand how complex a dictionary attack can be if they know what one is at all. On top of that, they may not realize how easily weak passwords can be broken with a brute force attack.
If any of you are saying, well, we don’t have to worry about that because we have an account lockout policy that limits you to 3 login attempts, you should understand that you are opening yourself up to another form of attack. You are a target for a massive denial of service attack. Think about it. How hard would it be for someone with even a very limited knowledge of your entity to get a list of users and derive their usernames? How difficult would it be for someone to automate 3 invalid login attempts for each account? How much of a pain in the butt would it be if all of your user accounts were locked out at the same time?
In most situations, you should be auditing logins (both invalid and valid) and monitoring the log for suspicious activity. There are very few applications that require an account lockout policy, and in those that do, security far outranks the usability and accessibility needs of those systems.
After explaining the importance and the characteristics of a strong password, you should also explain to the user that it is okay to record a strong password and keep it on their person (i.e. in their wallet). Strong passwords are easily forgotten and lead to an excessive amount of password reset requests, which can be just as big of a potential security issue as having no password policy at all.
Keeping a password in your wallet is not the same thing as taping a password to the back of the keyboard or writing down your ATM pin number and keeping it in your wallet. In those cases you are storing a secret next to the object that makes the secret valuable. If an attacker can get to the object, they also have access to the secret. Storing a password in your wallet is entirely different. It is unlikely that your wallet would be compromised without you knowing it. Even if your wallet is not stolen, but merely misplaced for an hour, these types of events are entirely noticeable and the user should know to reset their password immediately.
Finally users need to be educated on password re-usage and disclosure. No one should use the same password everywhere. That in itself is a form of disclosure. Teaching users to never disclose their passwords hurts productivity. I know this might sound weird, but users should not only be trained to protect their passwords, but to also use their own discretion for disclosing it to others.
How is using the same password everywhere a form of disclosure? Well on the one hand, if any of the sites where these credentials are used is compromised, it is now possible for someone to try and use them elsewhere. More dangerous would be a targeted attack. Say I want to access the email of a high ranking corporate official’s secretary. I could create a phishing site (www.SecretAdmirerFlowers.cam) and send her a personalized email. We could tell her a secret admirer has sent her flowers and all she has to do is specify where they should be sent. If she bites and comes to the site, we ask her to specify a username and password along with a mailing address of where the flowers should be sent. When she is done, tell her to expect them in 5 business days. That is plenty enough time for someone to gain access to her system and get the information required. If you really want to finish out the scam, actually send her flowers.
There are also times when a user may need to share their password for a valid reason. Users need to be taught to use their own discretion when sharing their credentials. They should never blindly comply with a request of this nature and be aware of the extreme likelihood that this request is being made for fraudulent reasons. They should ask as many questions as needed to evaluate the necessity of the request and change their password to something else as soon as possible afterwards.
Just this week alone I have been faced with this situation…twice. My boss is out of town and I needed to access our hosting site. To do that, I need his username and password. I also am working remotely on a consulting project and need to terminal in and debug an application while logged in as a certain user. One of these people uses a different password for every account they have and changes them regularly. He has a record of every site that requires authentication, the password he uses, and the dates that the password was set. The other user uses the same password for everything and has no idea how many sites use this particular password. Both users trust me, have validated my need for their credentials, yet one can not and will not disclose their password to me while the other readily made theirs available.
So how do we deliver this kind of information to our users? Well, it definitely should not be limited to being disclosed in company wide email, computer usage policy, or the like. It could also be delivered through a well designed UI such a Microsoft’s Passport Service does (almost). Maybe you could record a training video and disperse it throughout the company.
I know this type of information is entirely boring and is about the most un-sexiest part of security there is. However, it still remains a cheap, effective method for improving security.
-Eric Marvets