No doubt about it, entering (and administering) usernames, and passwords is a network security hassle. The Google Authenticator and Yahoo’s on-demand passwords have presented some promising alternatives, but they are not universal. Passwords aren’t going away any time soon. The costs of converting to another system are astronomical; the conversion will take years For the foreseeable future, as Sharon Profis wrote in CNET, “Passwords -- especially those not supported by two-step verification -- are your last lines of defense against prying eyes.”
Let’s look at some ways to make them more effective, and even eliminate some of the hassle.
Use of default or empty passwords is ubiquitous
An interesting study by HD Moore shows that a huge number of devices (PCs, routers, switches, servers, etc.) use the defaults. In other words, usernames and passwords are not changed after the device is installed. This is asking for trouble because Google can serve up default passwords for any device as fast as you can type “default password list”. So the password should be changed and strengthened (more on that later).
Better still, change the username, too. This is not always possible; some devices require an account named “Administrator” or some equally obvious designation. If that is the case, the best approach is to attach the strongest possible password to the account, and then never use it again. Yes, you read that right. Create another, more subtly-named account with administrative privileges for daily use. And while you are at it, rename the guest accounts.
Getting rid of usernames that are no longer needed is important. Take a look at the last login date for all accounts on a regular basis. It is possible that the Sales Department “forgot” to tell you that Jim left the company. Contractors especially float in and out, and can be a source of security breaches (think Edward Snowden).
It goes without saying that each user requires a unique username and password. No sharing! And no usernames like “HelpDesk1” or “FinAnalyst”. They tip off intruders to the type of data privileges inherent in the account.
Password length and content – new research findings
Single-sign on (SSO) systems are popular, and they make sense. Why should I have 10 different passwords for the corporate databases? But that one password better be secure or someone else will have access to those databases, too.
One approach to strengthen passwords has been to require a variety of character types: upper and lower case letters, numbers and symbols. In other words, make passwords more complex. It turns out that long passwords (that are not too simple) are a better alternative for several reasons:
- They are significantly more secure than shorter complex passwords.
- They are easier to create. When a user must decide how to combine character types, it is an unnatural activity. Humans think in phrases.
- They are written down less often; think of DontEverDoThatAgain versus 79m&fB4*. The first password is actually hard to forget. The second, without a doubt, would be on a sticky note on the computer.
This information comes out of the research underway at the CUPS (CyLab Usable Privacy and Security) Laboratory at Carnegie Mellon University. The lab had access to 25,000 real passwords used by the Carnegie Mellon community. These were supplemented with surveys and studies to come up with password policies that not only meet security criteria, but also are preferred by users.
CUPS found that it was easier to guess passwords with symbols and numbers at the end, right where most users put them when complexity is required. They also discovered that password strength meters really work, as long as they are not too discouraging.
Are you publishing your password on Facebook?
The Internet holds information on everyone, and it never forgets. It is human nature to construct passwords about things we love. That pink tuxedo you wore to the prom? That could lead an intruder to check for “pink” in your password. A picture with your dog Sniffy? He’ll bet that some combination of “I love Sniffy” is in your password.
It is impossible (and should be impossible for security reasons) for a systems administrator to check and cross-check information for each user to see if passwords are obvious. But users need to understand that intruders can find out more about their lives than they may realize. Every weak password in your organization is an opportunity for a security breach, so user training (and occasional retraining) is critical.
Are password structural requirements passé?
Many organizations use structural requirements for usernames and passwords. For example, username may consist of first initial, last name, and the last 4 of the employee ID. This makes it easy to target the top dogs in a company. They are the ones with the authorization to access the really interesting data, at least as far as an intruder is concerned. Maybe it is time to consider eliminating structural requirements for personnel above a certain privilege level.
Requiring users to change a password on a regular basis is a great way to increase security. The longer a password remains static, the more time an intruder has to crack it. I know, this makes managing passwords much more difficult. So, for heaven’s sakes, use a password manager like LastPass, Dashlane, or 1Password. These also include password generators. Since the password manager remembers the password for you, make it as long as you can. Of course, the maximum length depends on the website or software you are using. Better still, use an offline generator, such as Random Password Generator, so there is no chance that your generated passwords can be intercepted.
If you prefer to create your own “artisanal” passwords, use “How Secure is my Password?” at https://howsecureismypassword.net/ to rate its strength and get suggestions to make it stronger. Mac users have the built-in Password Assistant.
Are your passwords maximum security?
Passwords are a key part of an organization’s security. Systems administrators and users alike look forward to the day they are no longer needed. Until that happy day comes, we might as well use passwords effectively.