Top 10 Network Security Mistakes – #9: Bad Password Hygiene
August 22, 2013
Now that you’ve fixed the issues with DMZ networks; it’s time to look for new opportunities for improvement.
Are your admin credentials a bit funky? Not Bootsy Collins funky, but bottom of your farm boots funky? Have a seat, let’s talk.
This topic is, of course, much larger than Network Security. It’s part of security as a whole at the cellular level. But we are talking about it here because poor password habits on networking equipment can carry a nuclear payload if exploited. Total infrastructure pwnage.
You won’t just lose control of the device that’s been snatched from your clammy hands. You’ll lose control of everything that goes through it, too.
What passes through your firewalls? All your organizational traffic.
All. Of. It.
Your unencrypted IMAP passwords for your personal email account. Your IM credentials. Your WeatherBug widget. All of it. Those passwords wouldn’t even be sitting ducks. They’d be ducks that plucked, seasoned, cooked, then served themselves to you with a side of asparagus risotto topped with crème fraiche. Mmm, roast plaintext passwords.
Even worse, if you have a newer firewall or proxy, you might have SSL interception enabled, in which case, all your SSL/TLS sessions to your bank, credit card, Facebook, Gmail, LinkedIn and peopleofwalmart.com accounts are compromised as well.
But of course, you don’t do that stuff at work, right? So, we probably don’t need to worry about it too much.
Buuuuuuut, just for giggles, let’s say it happened. Once. By accident. Over lunch. When those cube vandals stumbled upon your unlocked laptop, and posted pics of you in lederhosen because you forgot to lock your machine in all the excitement about free sandwiches left over from the meeting in the Northstar conference room. Just that once.
Then what? Are your passwords being bought and sold like sticks of gum in prison? If you’ve lost control of your networking equipment, let’s just assume they are. So, now we’ve got credentials so funky even prison gum can’t help.
What to do, what to do…
Bad password hygiene can take many forms. Let's cover a few of these in more detail. And let’s make it a game. We’ll call it Credential Golf, the lower your score, the better off you are:
- Default passwords – If you have ANYTHING on your network that still has a default password on it, you are in luck. All you have to do is look on the internet for default password lists. How handy is that? I Haz Root!
Fix: Disconnect it, flash the rom and sell it on eBay in “as is” condition. Do not pass go, do not collect a red stapler. Add 8 strokes.
- Simple passwords – Okay, at least you changed your passwords. But you changed it to something with six characters or less or with all the same case letters. Without getting into factorial math, let’s just say there are a finite number of options of six character passwords, and they are all known. You get a pat on the head for at least trying.
Fix: Make ‘em longer, make ‘em stronger. Eight characters is a start, but you make guessing/bruting/cracking/hashing more difficult with each character you add. 16 characters is a good length to shoot for. Use a random mix of upper and lower case, numbers and special characters. I still believe in the correcthorsebatterystaple as well. Lengthy passphrases are less effective against GPU hashing, but good for many uses nonetheless. Add 3 strokes.
- Easy-to-guess passwords – If your passwords involve any of the following elements, you’re busted: birthdays, company names, vendor names, product names, addresses, pet names, password123, qwerasdf, 1234567890, etc.
Fix: At least include some special chars or something, sheesh. Add 2 strokes.
- Serialized passwords – Do you find it easier to use just one password for all your accounts? That does simplify things greatly, and frankly, I can identify with you. I can only throw small rocks of hypocrisy on this one. But, it is still a bad habit. The fact is, if you or I use the same username and password on one site, and those become known, attackers will try to use them on other common sites.
Fix: Don’t use any password in more than one place. Add 4 strokes.
- Passwords saved in insecure places – This one is a killer because people are just so dang clever about it. Here’s a few common ones off to top of my head: on a post-it note, under your keyboard, on a slip of paper in your desk drawer, in a plain-text file saved on your workstation, in an excel file on a network shared drive, in a saved email, in your purse/wallet, in your phone or in one of these. If you have unencrypted passwords in any of these places, it’s like putting your prized poodle on a hook and dangling it over shark infested waters. To be fair, the sharks do not have laser beams on their heads. Laser or not, they will devour your dog.
Fix: Never save passwords in unencrypted format. At a very minimum, use Axcrypt or a similar solution to encrypt your saved password files if they don’t have built-in encryption. Add 8 strokes, unless you named your dog Chum, in which case, just add 7 for your macabre self-awareness.
- Bad ideas I haven’t even thought of yet – The pioneer spirit is alive in all of us and given boundless time, a few shakes of creativity, a dash of laziness and a bent for not thinking things through, or perhaps just naivety, I’m confident new and astounding ways will be found in which passwords can be mismanaged. Perhaps you can be the bad-password Neo. Point values to be determined.
Score Card Check
Let’s see how you did. Add up all your offenses, and see where you land:
0-3: You are well on your way to not having to explain a massive breach. Keep it up!
4-7: You heart is in the right place, we just need to fix you up a bit.
8+: Update your resume. But maybe don’t mention your current job.
Just for some perspective: this inexhaustive list only targets good old fashioned single factor passwords. Which as we know, are about as safe as a gravy-drenched lamb at WolfCon. Single-factor authentication will always have weaknesses due to the static nature of the credential. But, if they must be used, password management tools are the best option for using single factor credentials. I prefer KeePass, but there are apparently around 241,000,000 other options according to Larry Page.
To use a password manager optimally, follow these guidelines:
- Choose the longest, most complex password the system will allow.
- Use a random password generator.
- Use different passwords for each site or application.
- Use a long, strong, memorable master passphrase to lock the database – no shorter than 16 characters.
- Save your database in at least two places. In theory, the database file is useless without the passphrase, but I wouldn’t suggest posting it to Facebook.
Want something stronger?
Many organizations are moving to multi-factor authentication (MFA) or strong authentication. The idea with multi-factor credentials is that users must have something more than just a static password to gain access. Passwords are something you know. By adding a secondary something you have or something you are component to your credentialing process, greater assurance can be achieved since one factor would be useless without the other. There are many different flavors of multi-factor solutions, but most use some combination of:
- One-Time Passwords – These are ever-changing codes that replace or reinforce traditional passwords. Now you won’t have to change your dog’s name every 90 days! This is a very good system as long as the seed values do not become compromised, and you have an acceptable delivery mechanism.
- Smart Cards – Physical cards that you carry with you and swipe when necessary. Extremely secure, but not terribly easy to implement or manage.
- Call and Response – The most common version are graphic cards that look like a bingo game. The system asks you for a random series of coordinates, and you feed back the values. Keep away from photocopiers, cameras and wandering eyes.
- Certificates – Software-based entities that use complex mathematics to generate irreversible values that are capable of mutual authentication. These are generally very secure but not very portable.
- Biometrics – Typical implementations use finger prints, retina scans, hand scans, voice analysis and facial recognition. I personally believe these are more useful for psychological reasons than for security reasons. Their security values from solution to solution, but they are typically either expensive, or not terribly reliable.
- USB Dongles – USB dongles can be clever, portable delivery vehicles for complex passwords, certificates and other neat-o functions. A bit of a pain to use, and let’s be blunt: there are numerous systems I wouldn’t be comfortable plugging my super-duper, secret credential store into.
- Mobile Devices – A new wave of solutions are arriving based on the ridiculously fast adoption of mobile devices, most of which are smartphones. Soft tokens and SMS are still the preferred vehicles, but smart people are coming up with all sorts of other cool ideas. I believe this will become the de facto delivery method for MFA, though there will almost certainly be bumps down that road.
Let’s wrap this up in time for coffee:
The big picture here is that single-factor passwords are known liabilities that will become almost totally useless as the size of known values and power of computing increase with time. You can probably squeeze a few more years of reasonable-ish value from passwords by using them wisely.
But for the long term, you may want to start looking into the many options for multi-factor authentication to see what fits your needs and budget best. Or, just send your passwords to Ellen for safekeeping.