ITC Security Threat of the Week – Week 5: Passwords – Complex or Simple
Risks
- Over the shoulder attack: when a person types in his or her password, someone might be able to observe what is typed and hence steal the password by looking over the person‟s shoulder, or by indirect monitoring using a camera.
- Brute-force attack: because a password has a finite length, usually 8 alphanumeric characters, an attacker can use programs that automatically generate passwords, trying all possible combinations until a valid password is found.
- Sniffing attack: when a password is sent over a network, it could be captured by network sniffing tools if the network channel is not properly encrypted or by the use of keyloggers on the victim machine.
- Login spoofing attack: this is where an attacker sets up a fake login screen that is similar in look-and-feel to the real login screen.
How to educate End Users?
- Use a password with a mix of at least six mixed-case alphabetic characters, numerals and special characters.
- Use a password that is difficult to guess but easy for you to remember, so you do not have to write it down.
- Use a password that you can type quickly, without having to look at the keyboard, thereby preventing passers-by seeing what you are typing.
- Change your password frequently, at least every 90 days.
- Change the default or initial password the first time you login.
- Change your password immediately if you believe that it has been compromised. Once done, notify the system/security administrator for follow up action.
Discussion
You are most likely all aware what happens next.
Last time you have set an excellent password when you were prompted to change your credentials.
It all comes down to that 30th or 60th or 90th etc. day.
Yes, I am referring to the “Your password has expired” message with the red cross.
What is next? Most of us would try to think of another complex password(because we do not want to repeat the previous one or policies in place are preventing us from doing so) that is enough complex to give you a peace of mind, but it is still “easy” enough to remember.
The problem/challenge is that simple passwords are user friendly, but generally easy to crack.
On the other hand complex passwords often end up on a post-it for example, and sometimes even attached to the monitor.
What is the Solution?
What if there was an alternative?
Recent researches have indicated that there might a better way for Managing Passwords.
A multi-word random phrase can make a better password according to a number of articles.
The reason is due to the following charachteristics of the possible password-phrases:
– Lower case letters
– Upper case letters
– Special Characters – for example “space”, !, -, etc.
– Numbers
– Length – it is not a limitation any longer, due to the phrase being easy to remember
– Easy to remember
– Because it is easy to remember End Users will not feel the need to write these down
All the above corresponds with the following document:
http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices
Strong Passwords should contain at least 4 of the following:
– uppercase letters such as A, B, C;
– lowercase letters such as a, b,c;
– numerals such as 1, 2, 3;
– special characters such as $, ?, &; and
– alt characters such as µ, £, Æ.
Alternative solutions also include one-time password tokens.
References
http://community.spiceworks.com/topic/292538-passwords-the-security-tool-that-loves-to-be-insecure
ITC Secure Networking
Passwords in IT security pose risks that make SIEM solutions, Intrusion Prevention systems and next generation firewalls a must have in today`s computing world.
ITC Secure Networking Netsure 360 platform includes the following tools that can help your organization to stay on top of the challenges password management poses:
– CryptoCard
– CyberArk
ITC also provide a wide variety of solutions that can help you and your organization to detect and mitigate possible online attacks, for example:
– Palo Alto Threat Prevention
– HP ArcSight SIEM
– Cisco and Checkpoint IPS
– QualysGuard Vulnerability Scanner
The listed items are available in the form of both Consultancy and Managed Service.
To learn more about ITC Secure Networking and the services we offer, please visit our website: www.itcsecurity.com.
