Some password advice - SANS Internet Storm Center

Some password advice
No not from me, but from the UK government. GZ (thanks) sent a link through to this document https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf published by the UK government. The document is a little bit different to many other such advise handed out by many organisations in that it is aimed more at system administrators rather than end users. As far as the actual advise to system administrators. It is nothing too revolutionary, but then we are dealing with passwords. And there isn't anything there that most of us wouldn't agree with. It does server as a little reminder that we should all be taking some care with passwords. The 7 tips are: Change default passwords Help users deal with all their passwords Understand limitations of user generated passwords Understand limitations of machine generated passwords Prioritise Administrators and Remote user accounts Use account lockouts and protective monitoring Don't store passwords as plain text None are earth shattering, yet all of us know that pretty much every organisation has users with passwords of Password123, Changeme, Welcome1 and of course Ashley Madison user favourites 123456. Numbers 1 and 7 feature in most penetration testing reports you read or write. So whilst these tips provided by the UK government aren't new or fantastic I would encourage you to spend a few minutes reading the document and on Monday see how your organisation meets, exceeds or perhaps fails in one or more of them. We'll be stuck with passwords for a while yet, we should at least make people work for them a bit harder. Cheers Mark H	Mark 392 Posts ISC Handler Sep 14th 2015
Thread locked Subscribe	Sep 14th 2015 6 years ago
I'd also add a line about monitoring logins and login failures of priv'd accounts. One thing we've found valuable is monitoring the use of priv'd accounts outside of "normal" hours, and monitoring some special accounts for logins at any hour. For instance, if a US-based sysadmin logs in at 2:00 AM local time then either they're on-call and dealing with an issue (in which case a notification about this login is no big deal) or their account has been compromised. Doh. At a previous job, when the company went public and I had my first encounter with an auditor, they were horrified that I didn't require frequent password changes... at least until I showed that I had a password cracker running 24x7 on a small cluster. My rule back then was "If I can crack it, you gotta change it". In today's world of keystroke loggers I'm sure this policy would never pass, but requiring frequent password changes only (IMHO) encourages users to write passwords down or worse, save them in text files. (face-palm) Don't laugh, I've recently encountered a windows admin who did precisely this with all his credentials for network hardware, appliances, support accounts, etc, saying "but it's on a PROTECTED windows share... PROTECTED..."	Brent 133 Posts
Quote	Sep 15th 2015 6 years ago
Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important. Using a complex, uncrackable 14 character password is meaningless if you're not rotating it when staff members leave...I'd be equally horrified if I were that auditor. Regarding staff forgetting their passwords or writing them down, the answer is to provide them with a password management tool not to ignore the policy all together.	DB 2 Posts
Quote	Sep 16th 2015 6 years ago
Quoting DB:Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important. Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc. And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems. Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically. As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.	Brent 133 Posts
Quote	Sep 17th 2015 6 years ago
Hi, Strong passwords are always worth for security and better if one could change password every month o run secure online. Regards, Asher ross https://www.eukhost.com/	Asheross 4 Posts
Quote	Sep 19th 2015 6 years ago
Quoting Brent: Quoting DB:Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important. Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc. And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems. Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically. As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism. Hi, Cloud are secure and reliable ways to get data online, but it is worth if one could have a strong password and change it after few days. Regards, Asher ross https://www.eukhost.com/	Asheross 4 Posts
Quote	Sep 19th 2015 6 years ago

No not from me, but from the UK government.

GZ (thanks) sent a link through to this document https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf published by the UK government.

The document is a little bit different to many other such advise handed out by many organisations in that it is aimed more at system administrators rather than end users. As far as the actual advise to system administrators. It is nothing too revolutionary, but then we are dealing with passwords. And there isn't anything there that most of us wouldn't agree with. It does server as a little reminder that we should all be taking some care with passwords.

The 7 tips are:

Change default passwords
Help users deal with all their passwords
Understand limitations of user generated passwords
Understand limitations of machine generated passwords
Prioritise Administrators and Remote user accounts
Use account lockouts and protective monitoring
Don't store passwords as plain text

None are earth shattering, yet all of us know that pretty much every organisation has users with passwords of Password123, Changeme, Welcome1 and of course Ashley Madison user favourites 123456. Numbers 1 and 7 feature in most penetration testing reports you read or write.

So whilst these tips provided by the UK government aren't new or fantastic I would encourage you to spend a few minutes reading the document and on Monday see how your organisation meets, exceeds or perhaps fails in one or more of them.

We'll be stuck with passwords for a while yet, we should at least make people work for them a bit harder.

Cheers

Mark H

Mark

392 Posts
ISC Handler

Sep 14th 2015

I'd also add a line about monitoring logins and login failures of priv'd accounts. One thing we've found valuable is monitoring the use of priv'd accounts outside of "normal" hours, and monitoring some special accounts for logins at any hour. For instance, if a US-based sysadmin logs in at 2:00 AM local time then either they're on-call and dealing with an issue (in which case a notification about this login is no big deal) or their account has been compromised. Doh.

At a previous job, when the company went public and I had my first encounter with an auditor, they were horrified that I didn't require frequent password changes... at least until I showed that I had a password cracker running 24x7 on a small cluster. My rule back then was "If I can crack it, you gotta change it".

In today's world of keystroke loggers I'm sure this policy would never pass, but requiring frequent password changes only (IMHO) encourages users to write passwords down or worse, save them in text files. (face-palm) Don't laugh, I've recently encountered a windows admin who did precisely this with all his credentials for network hardware, appliances, support accounts, etc, saying "but it's on a PROTECTED windows share... PROTECTED..."

Brent

133 Posts

Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important. Using a complex, uncrackable 14 character password is meaningless if you're not rotating it when staff members leave...I'd be equally horrified if I were that auditor.

Regarding staff forgetting their passwords or writing them down, the answer is to provide them with a password management tool not to ignore the policy all together.

DB

2 Posts

Quoting DB:Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important.

Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. :-)

At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc.

And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems.

Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically.

As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.

Brent

133 Posts

Hi,

Strong passwords are always worth for security and better if one could change password every month o run secure online.

Regards,
Asher ross
https://www.eukhost.com/

Asheross

4 Posts

Quoting Brent:
Quoting DB:Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important.

Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc.

And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems.

Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically.

As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.

Hi,
Cloud are secure and reliable ways to get data online, but it is worth if one could have a strong password and change it after few days.

Regards,
Asher ross
https://www.eukhost.com/

Asheross

4 Posts