Social Network For Security Executives: Help Make Right Cyber Security Decisions
What Is It? The keys to the kingdom are your passwords (or passphrases as the ASD refer to them in their documentation) and must be protected. Your first line of defence in logging on to systems is arguably the most important and their compromise can have far-reaching impacts. We’ve all heard horror stories (and have our own to share) involving passwords yet they still seem to be neglected and abused to no end.
The way systems handle, store, and use passwords varies from platform to platform but the constant is that when the correct combination is entered, we are granted access (or, in a multi-factor authentication scenario, advanced to the next step). Forgetting usernames for a moment, which are their own topic, proper password management should be one of the most basic elements your organisation uses in its front-line defence.
In fact, if you have a security policy, odds are that you have a password policy. Don’t share passwords or write them on sticky notes and affix them to your screen. Use at least “x” characters and use a combination of upper-case and lower-case letters, numbers, and special characters. Followed by not re-using passwords, being forced to change passwords every x days, and lockouts after several attempts, most password policies are vanilla.
Rare is the system that doesn’t have the ability to define a password or at least come with one preset. That said, we still encounter systems with no passwords set (in some cases, manually removed – scary!) or default passwords (who hasn’t at least once had a system that used admin – admin?). While “password” and “P@55w0rd” look vastly different, and while one doesn’t meet requirements and one does, there are still a lot of similarities between them. Rare is the hacker that simply sits at a keyboard trying to guess passwords; most use tools that do this job for them.
Rather than become bogged down in the debate over passwords themselves, let’s instead focus on how passwords themselves are managed and stored because that, often, is how they become compromised. Why try to break into the kingdom when I can simply obtain the keys on my own and nobody will be the wiser as I go about my nefarious deeds.
Nefarious. I like that. Let’s use it more often.
Where Do I Start? Where are your passwords stored? From a technical perspective, they’re hidden somewhere in your operating system, but some devices will still allow you to have your passwords in plain text, easily extracted from the configuration file. From this view, it’s worthwhile understanding how your various systems store passwords and how easily they can be extracted. To this end, the most complex password in the world is useless if I can retrieve it and view it. The point here is how we handle passwords.
Microsoft has released several patches to address potential vulnerabilities with password storage and handling, so I hope you’ve already applied these long ago. As for non-Microsoft equipment, such as routers and switches, it’s worthwhile to revisit how these are configured to make sure you don’t have default passwords or passwords in plain text on your systems. Most devices will allow hashing your passwords so even if they can be extracted, they’re virtually useless. Some passwords, such as the Cisco password 7, can easily be decoded using several online tools.
I shouldn’t must say it, but I’m going to anyway: Don’t write down your passwords on sticky notes and stick them to your screen, keyboard (including underneath) or any obvious location. Do you have notepads on your desk that may have passwords written in them? System documents? User manuals? Text files or removable media that may have the password in it? Sent passwords by email or text, even if they’re in separate messages? A lot of attack vectors just for finding a password, aren’t there?
I once attended a support call where the user had left their password on a sticky note in the middle of the screen. I advised them this was inappropriate behaviour and gave them some tips. When I next arrived a week later, the sticky note on the monitor read “password hidden under keyboard”. Some days you just can’t win!
Maybe you got tricky in the past and wrote it on a piece of paper, sealed it in an envelope and locked it in a drawer. Maybe I can’t find the physical password but if you don’t update it when you change the password, it’s no good to you either. For the record, even if you use a password manager, be sure to secure the master key appropriately.
For what it may be worth, password managers are amazing tools when used correctly. They can satisfy your need for secure password storage, make entering credentials easier, and help generate, manage, and reset passwords as needed including length and complexity requirements. Free or commercial, I’d suggest getting one.
Be wary of applications and websites (particularly web browsers) that offer to remember your authentication details. Be sure that the application you trust with your credentials handles them appropriately by encrypting them and storing them securely.
Once you have a bearing on where and how passwords are stored, it’s worth revisiting your password policy and reminding your users about good password habits. I’ve also seen a shift towards passphrases instead of single words to make the passwords easier to remember but harder to compromise. For example, instead of “P@55w0rd”, use puppybabymonkeyduck. The problem with passphrases is that some sites require complexity in addition to length – and sometimes limit the length, which limits the strength of the phrase. Rather than fight the “The Best Password Is” war, I’ll trust you to do what is right.
For bonus points: Multi Factor Authentication: It’s a good thing. Use it.
How do I make It Work? Aside from possibly the cost of a password manager, most of the things you need to do to protect your authentication credentials is a bit of administration and housekeeping. If you need help, ask, as we’d rather see you manage your passwords (and passphrases) securely. Even if it’s a policy review or some cyber security education, getting the experts involved is a good idea.
Figure out where your passwords are stored and if they’re stored securely. If you don’t have a password policy, create one. If you do have such a policy, review it, and make sure the policy addresses things beyond the password itself, including proper care and feeding of your passwords. Look after your passwords, and they’ll look after you! As with any policy, be sure to have management on board (and by extension, HR and legal if need be). If you find any perceived shortcomings, act to address them.
Pitfalls? A password policy is only effective if it’s usable. Long, complex passwords are great but only if you can remember them. Also, the very method of storing and maintaining your passwords is equally critical and should have some sort of procedure that governs it. The last thing you want to do is find out you must reset your master password on your password manager, which usually wipes the database clean. Some systems must be reset to factory defaults if you can’t get into them. If Windows offers the ability to create a password recovery tool, take them up on it but make sure you store this information as securely!
Ghosts in the Machine? People will always find ways to mess up their passwords and until the day we are able to eliminate passwords completely, we will just must deal with human error. We get fat fingers, we forget passwords while we’re on vacation, and we’ll need to annoy the helpdesk now and then.
Anything Missing? Any time you hear about a breach that might impact you, it’s probably just good practice to keep an eye on your accounts for unusual activity and change your password. If you suspect any type of fraudulent activity, don’t hesitate to contact your management, your account organisation (especially if it’s your bank) or the authorities if need be. Remaining silent and trying to fix things on your own can only make things worse. You closely guard your passport and wallet; your passwords can be just as valuable to the right people.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock.
Logan Daley is an Australian Information Assurance Specialist, Freelance Writer, and the founder of Digitally Vicarious: The Digital Footprint Project.