Password security is a problem that threatens to be a very costly issue for many companies if gone unnoticed. There are, however, simple and cost-effective solutions to the problem of unauthorised access to key data due to weak passwords for those who recognise it. Derek Melber, Georgia Tech Research Institute, and Anna E. Ryberg, Specops Software, explain how to take your organisation from one in imminent threat mode to an organisation that is a secure operation.

A BBC News article on 13 August 2010, ‘Call to improve password security’, addressed the growing security problem caused by fast computer power costing less. Research suggests this makes it easier to crack passwords and access data, with devastating results both in terms of cost and reputation. Growing use of graphics cards as surrogate supercomputers spells trouble for short passwords.

These claims come from Georgia Tech (USA) researchers who are investigating whether this new calculating power might change the security landscape world wide. They’re concerned that this might soon compromise current password protection.

‘We can confidently say that a seven-character password is hopelessly inadequate,’ said Richard Boyd, Senior Research Scientist at Georgia Tech Research Institute (GTRI), ‘and as computer power rises every year, the threat will increase.’ A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits.

Ultimately, users may be forced to rely on whole sentences that are a mix of different sorts of characters to ensure no one else can guess their password and attack online services.

ENFORCING STRONGER PASSWORD POLICIES

Industry adopts continually revised guidelines for IT security. Sarbanes Oxley, Information Governance, ITIL, ISO27001 are just some of the standards affecting everyday work, but all place high emphasis on the need for stronger passwords that are changed regularly.

If a strict password policy is not considered and deployed, the foundation of computing security is jeopardised. Misconceptions exist about what constitutes a strong password policy. Research shows that a strong password policy is easy to define and, with proper tools in place, easy to implement and enforce. Policies must enforce passwords to meet certain criteria and to protect against hackers and their tools.

There are some criteria for strong, secure passwords:

• Configure different password policies for different organisational units or security groups.
• The password is not in any dictionary list.
• Passwords should have over 15 characters; 20 is a good length.
• Require all four character types in the password (uppercase, lowercase, numeric, symbols).
• Do not include user account name or logon name.
• Passwords should be in the form of a pass phrase, such as ‘I wish I owned a Porsche 911 Turbo.’
• Avoid incremental passwords.
• Passwords must be changed frequently.
• Password changes should be done through a secure self-service method.

If your organisation has an active directory domain that only contains Windows Server 2008 domain controllers, you have the capability of configuring multiple password policies in the same domain. Although new, fine-grained password policies provide multiple password policies in the same domain, they do not provide the granular control to meet password requirements for higher security users.

Nonetheless, there are efficient and effective third-party solutions to extending group policy and the enforcement of strong and secure password policies.

PASSWORD SECURITY DOES NOT HAVE TO BE A PAIN

What happens when all users need to remember more complex passwords and change them more often? The risk is the help desk being swamped with calls leading to increased costs for the company. This can be avoided by using, for example, a versatile self-service password reset solution.

A long-time issue with user account passwords is when they need to be reset. Often a user account password will be locked out, expire or require attention from the IT or help desk staff. Resetting passwords for users is time-consuming and costly for both IT staff and end-user. To complicate matters, the password established for the user must be communicated securely, then immediately changed by the user so the IT staff member does not know the password.

A good security measure is enabling users to reset their own passwords. The user is required to input unique answers to questions that only the user would know.

Password reset solutions may also increase security of data by avoiding IT and help desk staff from ever knowing the end-user password.

For any organisation, protecting data is crucial, both economically and legally. Passwords are by far the easiest way of protecting data, provided of course that they are basically unbreakable.

HIGHER RISK GROUPS

Some users in an organisation, for example IT administrators, have higher authorisation to access data and are therefore a higher security risk. This can be managed using different password security levels for different groups in an organisation. None of this is news, but what is new is technology that simplifies the means for hackers to break weak passwords. This means that users with access to critical data need higher security controls than those who do not. This is easily accomplished by assigning more complex passwords to higher risk user groups. An example might be IT having 20+ character passwords, managers 15 and all other employees 10.

‘Length is a major factor in protecting against brute-forcing a password,’ explained Joshua L. Davis, a GTRI research scientist at Georgia Tech. ‘A computer keyboard contains 95 characters, and every time you add another character, your protection goes up exponentially, by 95 times.’

TYPES OF ATTACKS

Common attacks that pose threats to user passwords are brute-force attacks, rainbow tables and dictionary attacks. Attackers know that many people use passwords comprising easy-to-remember lowercase letters. Code-breakers typically work on those combinations first.

The brute-force attack is when a computer application takes all possible permutations of the character set (A-Z, a-z, 0-9, symbols) and generates hashes (the strings of characters that form the password) from the options. After the password hashes are generated, they are compared with the actual ‘acquired’ password hashes. If there is a match, the application knows the password. Brute-force attacks take a long time and are not all that powerful against a good, strong, long password.

Rainbow tables are stored brute-force attack generated hashes. Instead of generating the hash every time an attack is performed, the rainbow table just does a hash lookup and compare, which takes about one tenth the time of a brute-force attack. The one inherent issue is that rainbow tables become large in size. As the number of characters in the password increases, so does the table. Studies have proven that if you can set a password, using all four character types, of a length greater than 15 or so characters, the rainbow table sizes become too large to be useful.

A dictionary attack is not all that different from the two attacks above. Instead of a ‘random’ character set, the dictionary attack uses predefined character configurations to generate hashes that are compared with acquired password hashes.

Using character replacements for standard words is not a good password alternative. Although they are hard to remember, they are just documented in a word list and used to attack passwords.

In conclusion, data is valuable and often critical, and its loss has a major impact on any operation. Historic avoidance of stronger passwords is no longer acceptable. You must protect your most valuable assets. By investing in effective password management or simply implementing stronger passwords, your most valuable assets can be protected. The result is an efficient barrier to loss of key data and its associated cost.