Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Fixing weak passwords

Access & Identity Management Handbook 2011 Information Security

Chris Stoneff, senior product manager at Lieberman Software

Passwords have been with us for ages, administrators and users need to rethink password security policies if they are to be truly effective.

Passwords have been present in information technology since the earliest days, but it is only in the last five years that computers have become powerful enough to crack common passwords in a sensible timeframe.

Websites such as wpacracker.com show how easy it is to crack a WiFi password, and vendors such as Elcomsoft have released ‘password recovery’ applications that tap into the power of PC graphics cards to accelerate the ‘recovery’ (in reality, cracking) process.

Today, eight-character passwords can be cracked by consumer password recovery software in under an hour, and more experienced hackers armed with rainbow tables and other free tools can crack 14-character passwords – including alpha-numeric passwords with special characters – in less than three minutes. This makes it imperative for technology users to adopt longer, stronger passwords.

In fact, adding numeric characters to a password – creating a passphrase – can significantly increase the time needed by even the best cracking software, running on the latest six-processor equipped machine, to the point where brute force hacking of passphrases becomes impractical.

That is not to say that hackers and their technology will not advance in the near future – perhaps through fractal calculation techniques – to negate even this level of protection. So what can be done in your organisation to encourage staff not to use weak passwords?

The answer is to encourage the use of stronger passphrases and mandate that users update their passphrases on a regular basis. These updates can provide some measure of protection should a passphrase ever be compromised – say, in a hotel, a railway station, or even in the office. It is also advisable to configure rules to prevent users from cycling through old, previously used passphrases.

Many organisations set passphrases to expire within 60 days or less, and require both a minimum length, minimum age, and the use of special characters. These practices should be followed even in organisations where two-factor authentication (such as hardware tokens) are in place.

Less obvious rules

Within the IT department – and for Windows users – administrators should set the group policy to disable LANMan hashes. LANMan hashes are notoriously easy to extract and crack using brute force methods or freely available rainbow tables that provide a pre-computed list of hashes. The policy is located under \computer configuration\windows settings\security settings\local policies\security options\network security, and is configured by changing the setting to ‘do not store LAN manager has value on network password change = ENABLED.’

It is also advisable to set a minimum passphrase length of 15 characters, as this is the critical length where, regardless of other policies, LANMan hashes cannot exist in Windows systems.

Administrators should also set all in-built admin accounts (eg, administrator, root, sa, sys and so on) to have frequently updated passphrases that are different amongst all accounts. This particular recommendation purposefully breaks the peer-to-peer model of the Windows network and ensures that a breach of one system’s administrator account does not affect others.

It is especially critical to ensure that no two administrator accounts ever have the same passphrase. Otherwise, should one of these superuser accounts be compromised, other accounts and applications will be breached.

Also keep in mind that there are scenarios – such as restarting the computer in safe-mode – when disabled administrator accounts can be re-activated without user intervention. Therefore it is essential to continuously audit all superuser accounts in such a way that unusual activity is quickly discovered and the appropriate actions taken.

Fortunately there are software solutions available to help you continuously secure and audit the superuser credentials required for administrator logins, application-to-application transactions and highly privileged computer services.

User guidance

Do not include easily-guessed information in your passwords such as birthdays, family and pet names, or words for things in front of the computer system. Also, do not start with easily guessed words or common words such as ‘password’ and simply replace characters such as 'a' with an '@' or 'o' with a zero. Hackers know this strategy and their software knows it too.

Do not use the same passphrase for multiple logins – and in particular do not mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.

Never give anyone – including IT staff – your password. If an administrator truly needs your passphrase, change it before disclosing it, then change it back when they no longer need access and ensure you are present when they are using your account.

Do not click links in e-mails from unknown senders, no matter how attractive or urgent they seem. And if your browser starts displaying pop-ups with unusual frequency or appearance – no matter where you are browsing – close your browser and scan your system for malware and adware. And then there are the not-so-obvious points...

Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help safeguard your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.

If you do online banking, be sure to logout after each session. This invalidates the login session stored on your system. Then close all browser windows before leaving your machine. If you are using a tabbed browser, simply closing the single tab is not enough. You must close all browser tabs and windows to clear the cached data from further use.

Do not allow browsers to store your passphrases for you, as not all browsers store your logins in a secure fashion.

Lastly, users should never configure a computer to automatically log them on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations. This mistake can give even the most amateurish of hackers both access to your system and knowledge of your passphrase – a potentially dangerous combination.

Conclusions

Effective passphrase security is often said to be a 'state of mind', and we have heard words such as 'holistic' used to describe the process.

In truth, all that is needed to create a more secure environment is the right set of automated building blocks – security policies – that are enforced by automated systems, audited and reviewed to account for current and future security threats.

To achieve real security it is also essential to collaborate with end users with no less zeal than hackers collaborate amongst themselves to develop the tools to put your organisation at risk. Remember to automate as many processes as you can to secure and audit your organisation’s passphrases. This decreases the likelihood of any weaknesses being overlooked, and increases the odds of your being alerted to any unusual activity.

Hackers think creatively when it comes to compromising your network, so developing a comprehensive strategy using tested building blocks is the right way to help defend your digital assets.





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

Read more...
SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Read more...
Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Read more...
Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...











SMART Security Business Directory



Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.