Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Some password advice SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some password advice

No not from me, but from the UK government. 

GZ (thanks) sent a link through to this document https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf published by the UK government.  

The document is a little bit different to many other such advise handed out by many organisations in that it is aimed more at system administrators rather than end users.  As far as the actual advise to system administrators.  It is nothing too revolutionary, but then we are dealing with passwords.  And there isn't anything there that most of us wouldn't agree with.  It does server as a little reminder that we should all be taking some care with passwords.  

The 7 tips are: 

  1. Change default passwords
  2. Help users deal with all their passwords
  3. Understand limitations of user generated passwords
  4. Understand limitations of machine generated passwords
  5. Prioritise Administrators and Remote user accounts
  6. Use account lockouts and protective monitoring
  7. Don't store passwords as plain text

None are earth shattering, yet all of us know that pretty much every organisation has users with passwords of Password123, Changeme, Welcome1 and of course Ashley Madison user favourites 123456.  Numbers 1 and 7 feature in most penetration testing reports you  read or write.

So whilst these tips provided by the UK government aren't new or fantastic I would encourage you to spend a few minutes reading the document and on Monday see how your organisation meets, exceeds or perhaps fails in one or more of them.  

We'll be stuck with passwords for a while yet, we should at least make people work for them a bit harder.  

Cheers

Mark H 

 

Mark

391 Posts
ISC Handler
I'd also add a line about monitoring logins and login failures of priv'd accounts. One thing we've found valuable is monitoring the use of priv'd accounts outside of "normal" hours, and monitoring some special accounts for logins at any hour. For instance, if a US-based sysadmin logs in at 2:00 AM local time then either they're on-call and dealing with an issue (in which case a notification about this login is no big deal) or their account has been compromised. Doh.

At a previous job, when the company went public and I had my first encounter with an auditor, they were horrified that I didn't require frequent password changes... at least until I showed that I had a password cracker running 24x7 on a small cluster. My rule back then was "If I can crack it, you gotta change it".

In today's world of keystroke loggers I'm sure this policy would never pass, but requiring frequent password changes only (IMHO) encourages users to write passwords down or worse, save them in text files. (face-palm) Don't laugh, I've recently encountered a windows admin who did precisely this with all his credentials for network hardware, appliances, support accounts, etc, saying "but it's on a PROTECTED windows share... PROTECTED..."
Brent

121 Posts
Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important. Using a complex, uncrackable 14 character password is meaningless if you're not rotating it when staff members leave...I'd be equally horrified if I were that auditor.

Regarding staff forgetting their passwords or writing them down, the answer is to provide them with a password management tool not to ignore the policy all together.
DB

2 Posts
Quoting DB:Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important.


Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. :-) At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc.

And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems.

Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically.

As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.
Brent

121 Posts
Hi,

Strong passwords are always worth for security and better if one could change password every month o run secure online.

Regards,
Asher ross
https://www.eukhost.com/
Asheross

4 Posts
Quoting Brent:
Quoting DB:Not to nitpick or anything, but people storing passwords in clear text or on 'protected' network shares is the exact reason why password rotation policies are so important.


Oh, absolutely. I shoulda made it clear that the admin who had his credentials stored in cleartext in a file was at a totally different company than the one where I was running a password cracker to test the strength of passwords that were in use. :-) At the small software shop where I ran the cracking systems, we had other sensible policies such as removing accounts when someone left, changing all passwords if someone with elevated privs left the company, etc.

And keep in mind this was a long time ago, back in the days when passwords (on most systems) couldn't be longer than 8 characters anyway - anything you typed beyond the first 8 characters was simply ignored in most systems.

Obviously, these days, password length and complexity is a balancing act we play to thwart brute-force cracking and regular password changes are done partly to thwart brute-forcing but mostly (IMHO) to deal with problems like "shoulder-surfing" or users sharing their passwords, entering them into a silly webform in a phish, writing them down, re-using the same credentials on every cloud app on the planet - password leakage basically.

As more 'n more stuff winds up in "Da Cloud!" (tm) we really should be looking more 'n more at using decent 2-factor instead of just a username/password pair which is rapidly becoming an anachronism.


Hi,
Cloud are secure and reliable ways to get data online, but it is worth if one could have a strong password and change it after few days.

Regards,
Asher ross
https://www.eukhost.com/
Asheross

4 Posts

Sign Up for Free or Log In to start participating in the conversation!