Thoughts on Modern Day Password Management
Will we always be talking about Proper Password Management?
In light of the recent compromises to Yahoo, I thought I would change gears a little from my normal blog focus and spend a moment on the topic of “what enterprises could be doing to better protect passwords from hackers.”
Today, the password problem has changed a bit to take on a new slant for a security professional, while the business problem remains constant.
Fundamentally, a business must ask the following question:
Do you care about the availability, confidentiality and/or integrity of “our” IT Systems or data? (Note: If the “IT Systems or Data” is your business, you can replace the whole question with the more existential and rhetorical question of “Do you care about your business?”)
If your answer is “Yes” to even a portion of that question – passwords are necessary. Why?
The Basic Premise of Passwords
A password (which may take many forms) is the only way to tell who did what to an IT system/data and when. Repeat – this is the only way.
Although many of my security brethren would disagree, the use of passwords has been passed down from the earliest known passages of mankind and I believe the concept will live in perpetuity, albeit not in the format we’ve come to know and leverage over the past two decades. But first, let’s review the academic purposes of passwords.
At the root a password accomplishes a lot of tasks:
- It authenticates a person
- It authorizes a certain set of tasks, capabilities or access
- It provides a fundamental ability to audit
- It should provide for non-repudiation (fancy word to say that someone can prove YOU were the actor behind the proxy credentials)
A password is generally a secret code or sequence of characters known between a person attempting to access something and the object that is being accessed or the person that is granting the access. It is analogous to a key used to access one’s house or automobile.
Passwords (or electronic keys if you will) are used in accessing computer operating systems, applications, and data that are known to a person. This person is referred to by IT Departments as “the user”.
Passwords are generally a result of an authentication system which can be built on one or more of a Four Factor System of establishing a valid user. The academic premise of this Four Factor System is that the more you combine these factors, the more likely you are to have a REAL and authentic user on the other side of the challenge.
The Four Access Factors are as follows
- Challenge based upon something the person knows (e.g. a Password)
- Challenge based upon something the person has (e.g. Enter a dongle or key into the computer). The common example of this is a house or car key
- Challenge based upon something you are (e.g. this is often biotechnology like a fingerprint or eye-retina scanner)
- Challenge based upon somewhere you are (e.g. only authenticate based upon location, such as must be in New York State or at a certain address, etc.)
In the financial sector today it is common practice that for someone to access an account with personally identifiable information, they must combine two of the factors listed above for access.
Next Question: What is your business’ access philosophy?
Simply Put: Password Management Reflects Business Ethos and Pathos
- Our customers/business “Users” will only have access to those systems/data that they need to accomplish their job – and no more. This is often referred to as “need to know.”
- Our customers/“Users” will be given access by their role or job function – something frequently called Role Based Access Control (RBAC), which defines Rules based upon your relationship with the system you interface with. This system, although inherently better to manage than other access systems, may require some users to have more (but frequently not less) access than they need to accomplish their job tasks.
- Users will be given access by a cultural set of permissions/queries by the user and/or user’s supervisory chain-of-command. This could be as little access as specific applications only and/or as much as access to everything.
The organization’s access philosophy that is based on “need to know” and “need to perform job function” best supports the password system. Regular reviews of personnel access profiles as well as logical security awareness through education and training are imperative for the maintenance and support of the organization’s access philosophy. While password management is very serious, keep in mind that a password alone will not prevent unauthorized access.
What happens when passwords are not taken seriously within a business/enterprise?
The bottom line is that the company is setting itself up to be a victim to an act that may have no recourse. In lay terms, should someone exploit the enterprise’s IT systems/data and causes serious problems (this may come in many forms – from financial fraud to sexual harassment, from total enterprise processing outage to regulatory compliance lapses) – if the enterprise can not DEFINITIVELY SAY that the act that was traced to a certain computer was ACTUALLY accessed by a certain person, the enterprise will have little recourse. You see, solid and respectful password management is not only important to an enterprise, but it is also respectful to the employee, ensuring that their identity may not be quick copied and used in a malicious manner.
So what amounts to some password practices that are considered widely understood and practiced?
– Do use a different password on each important system. Assume that the administrator for each system can decipher your password for that system; Don’t give them access to all of your accounts. By using different passwords, you limit the damage of a breach to a single account.
– Don’t give your password to anyone. No one, not even the system administrator, needs your password. If someone asks for your password, assume the worst.
– Don’t use dictionary words. Webster’s New World College Dictionary has 163,000 words in it. The smallest dictionary in a password cracker has more than 200,000; It includes places and popular names, such as Spock. Do the math.
– Don’t use personal information. Social security numbers, telephone numbers, date of birth, and the names of kids, pets and significant others should all be considered off-limits.
– Do use numbers and symbols, and not just at the end. There are several good mnemonics for generating passwords. Use the first letter of each word in a sentence and then randomly capitalize some letters and add numbers and special characters.
Additionally – the corporate philosophies that are considered mainstream practice is the following:
- “Access based on job function” best supports the password system. This ‘philosophy’ should be stated in a corporate policy.
- Technical password management is set and updated timely (60 days) in the organization’s systems’ procedures.
- Routine reviews of compliance are conducted by multiple entities.
- Personnel are to be educated and trained on password management and provided with supporting documentation.
Bottom line: Go-Forward Password Rules for Today’s Online Businesses
Rule #1: Single Factor Passwords Are Dead!
Rule #2: Two-Factor is required for all basic authentication- including system-level
Rule #3: Automate password authentication wherever possible. Don’t rely on people or process
Rule #4: Triple Factor is required for access which is considered “secure”
Rule #5: Assume vendors will let you down. Be demanding, unrelenting
Rule #6: Quadruple factor is required for any information/access where absolute security is required.
Rule #7: Never assume an authenticated person / process is real. It needs to be continuously tested and audited for authenticity.