Passwords May Be Weakest Link 529
blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
Re:I've heard this before... (Score:2, Informative)
The fact that you need "x" access in order to get to the password file is no protection against the password file being stolen and cracked.
Re:Shadow passwords (Score:3, Informative)
As a Security Admin all I can say is..... (Score:5, Informative)
People at work hate me for enforcing hard passwords. (And other assorted security measures)
Basically I am a BOFH [bofh.net] so I don't care.
Unfortunately the common joe/jill user has no clue when it comes to computer security.
You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)
A good way to help *push* them towards secure passwords is to crack your own systems passwords.
You can use John the Ripper [openwall.com] for Unix passwords OR l0pht crack [atstake.com] for Windows systems.
Nothing disturbs an end user more then when you email them their old password,
(You have changed it to something hideous now...) and warn them that you can read their email.
If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.
If you use Unix try npasswd [utexas.edu] to enforce difficult passwords.
The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)
Once I had Management buy in it was smooth sailing. Just hold their hand for a while.
Who cares about regular user passwords. (Score:3, Informative)
I'd be eating dinner and drinking expensive wine at a nice restaurant if I had a dollar for every time I've found an Oracle SYS password set to "change_on_install" or "oracle".
The only solution to the password problem is to eliminate passwords. At my organization, we are moving to a smartcard-based system that removes the password problem completely.
one password for life (Score:5, Informative)
I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.
I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.
Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure
Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.
If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!
A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).
Once users have a robust password, allow them to use it indefinitely!
Re:NT scores here (Score:3, Informative)
as someone else stated, PAM does this. More specifically, it's the cracklib PAM module, here's an intro http://linux.oreillynet.com/pub/a/linux/2001/10/05 / amModules.html [oreillynet.com].
NT has actually the same type of deal. The dll that does the password check is just a generic password filter provided my MS, you can replace with your own. I wrote an NT password filter that catches the username and password of a user whenever they change their password and sends it to a an external program registered in the registry. Use it to keep Win2K and OpenLDAP server passwords in sync, http://acctsync.sf.net [sf.net] but the external program could obviously be anything.
As usual, it's just that windows has a pretty GUI ( which should not be discounted btw. )
Re:one password for life (Score:4, Informative)
"I have never understood why people think that passwords suffer from wear and tear."
Using a password does indeed weaken it. Every now and then, a user will accidentally type a password into a user name field, and that results in a log entry with the incorrect password in plaintext. Every now and then, some users will give their passwords to a coworker or relative to "borrow" their account. Some users will use the same password on multiple systems. When a cracker gets into a system, they are likely to record the password file and attack it, or to collect passwords via spoofing or whatnot.
So, the longer a password has been in use, the higher the probability it has been compromised. The password suffers from wear and tear. Changing passwords refreshes them. A cracker that formerly had access to the system would have to start from scratch (especially if all passwords are changed simultaneously). Also, that cuts the coworker off from access to other employees accounts. They might not have done anything with that access now, but, someday, maybe they'll be fired and would like to take some sort of revenge. Since you cut them off by a policy of regularly changing passwords, they can't do it that way.
Re:Obvious (Score:3, Informative)
Doesn't matter. A black hat will ignore the sticky note and just use the default or backdoor [sans.org] BIOS password.
Use a password server (Score:3, Informative)
The solution I came up with was to build a dedicated Linux password server. Each user has a login and is a member of certain UNIX groups. Their "shell" is a custom C program that when the user logs in, prompts for a machine and username combination. This input is only displayed as asterisks (so people looking over the shoulder won't know what machine the user is looking up). The program then tries to read a text file for that machine and user. If the permissions are such that the logged in user is a member of the right group, then the contents are displayed for 5 seconds and then the screen is blanked.
This allows us to restrict who has access to what machines. The password server is pretty secure with no unnecessary daemon processes running, root cannot login through telnet (you need to login using a second account to get a prompt to su), there is a bios password and lilo password and the box is physically secure in the server room.
In the case of fatality, a paper backup is stored in a secured envelope and kept locked away with human resources who have permission to give it to a select few only (managing director, director of operations and IT managers).
It's working well for us and has been live for about three months now.