Security Awareness Blog

Security Awareness Topic #6 - Passwords

This post is the six in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the sixth topic I like to focus on passwords. Passwords are one of the most common in any information awareness program, however passwords are also a topic that I feel is far too often abused, we sometimes do more harm then good with this topic.

Secure use of passwords are critical, they are the keys to the kingdom. If an individual's or organization's password is compromised, then an attacker can access everything they are trying to protect. In addition, an attacker can then impersonate the victim and gain access to other resources. As such, password best practices are something many organizations focus on. Here are what I consider some of the key learning objectives for awareness, but in addition some learning objectives that I feel are overblown.

  • Complexity: One of the first things every organization focus on is password complexity. I see organizations moving to 12 character passwords with one CAPITAL, one number, one symbol, and changed every ninety days. In a previous blog post I argue this may be overkill, we are potentially doing more harm and good. I feel we need just as much focus, if not more on these additional topics.
  • Sharing: Often employees feel comfortable sharing passwords with other employees or supervisors. This is a dangerous practice. First, you lose accountability, you cannot track who did what because people have shared accounts. In addition, once a password is shared it may become more shared then expected, including with unethical employees.
  • Dual Use: Many users will use the same password for all their accounts. While some sharing of passwords I feel is acceptable, it should be only for non-critical accounts. If your Facebook, Flickr and Blog commentary passwords are the same, that is perhaps acceptable risk. What is not acceptable is your Flickr login and password being the same as your work or online banking login and password.
  • Public Computers: Another one is logging into confidential networks but from public computers, such as at an Internet Cafes, hotel lobbies or airport terminals. These computers may be infected or at the very least residing on compromised networks. End users should authenticate only on trusted systems they control.
  • Phishing: No one should ever ask an end user for their password. Reinforce this lesson. If someone asks for a password assume they are an attacker. This is a simple lesson that should be continually reinforced.
  • Owned: Finally, if you think about it most compromised passwords happen from keystroke logging malware, not brute forcing. If you truly want to protect your passwords, then protect end user computers from getting infected!

7 Comments

Posted December 14, 2010 at 6:28 PM | Permalink | Reply

Paul

Dual use sure is getting a lot of play with Gawker, Twitter hacks, etc, etc. With many systems utilizing pass-through authentication of Active Directory credentials, how do we convince corporate users that dual-use is a "bad" thing? They see one password granting access to many system in-house''.
And not be overly pedantic, but they keypad in your graphic doesn't make sense. If it's a hex-key entry system, the key below the "8" should be "C", not "A" as shown.

Posted December 14, 2010 at 9:34 PM | Permalink | Reply

lspitzner

Paul, great point, dual use definitely has its risks. One of the interesting things the security team at Facebook is seeing is cyber criminals using automated tools to test victims for specifically this purpose. In other words, when criminals compromise someone's Twitter account, they assume the same credentials are most likely used at other sites and then used automated tools to attempt to login to many other commonly used sites (Facebook, Gmail, Flick, etc). As for the numbering pad, great catch I never even saw that! You have just proved your geekness

Posted December 21, 2010 at 3:38 PM | Permalink | Reply

HJohn

I've seen some reasonable solutions to dual use. Last month, i signed into Facebook from Canada, first time ever signing in from out of the country, and it made me identify the friends in a series of pictures as a second layer.
My bank also does something similar, if it doesn't recognize my computer it prompts to send a 8-digit code to an email address or phone number. It's a reasonable control, meaning a fraudster must have compromised two accounts (physically or logically) in order to access my bank account. However, dual use could kill this''"if someone obtains a bank password because it is the same as the poorly secured email password on the account the bank will send the code to, then the fraudster is in.

Posted December 21, 2010 at 4:14 PM | Permalink | Reply

lspitzner

Great points. My bank does the same. If my computer/browser has changed, or even if I wiped my cookies, my bank requires me to re-authenticate via my mobile phone. It sends a 6 digit code to a pre-registered mobile number, which I then have to enter online. This is great as it is a simple two factor authentication mechanism that uses a second device, helping reduce risk. I'm seeing this trend more and more. However at some point we are going to hit critical mass, all the attacks we associate with standard computers will simply migrate to smartphones. We are not there yet, but I feel heading there fast. It is a market simply too profitable for cyber criminals to ignore.

Posted December 21, 2010 at 4:42 PM | Permalink | Reply

HJohn

Thank you for your response, and for your efforts here. I must confess I've been sucked in and spent a lot of time reading it the past few days.
I've been an auditor specializing in technology for nearly 13 years. I end up at odds with many in my profession for not fully promoting the ideals at times. Sometimes it is misunderstood as disagreeing with the ideals, which is not the case. Most see "what is" and "what ideally should be" and go all out for the ideal. My focus is on what is reasonably attainable and affective. The best strategy in the world fails if no one will accept it or live up to it.
That ties into my password and authentication philosophy. Most people deal with passwords to accounts for work networks, work applications, home, email, facebook, subscriptions, banks, credit cards, utlities, phone services, retirement accounts, Netflix, professional affiliations, retailers, travel, etc. etc. etc, many of which have financial implications (and dual use risks). Pitching ideal password management as a solution is like telling a pitcher to save the game by throwing 200 mph fastballs''"would work if someone could actually do it.
Keep up the good work,
HJohn, CIA, CISA

Posted January 3, 2011 at 4:55 PM | Permalink | Reply

ASudderth, CISA

These are great points however it is very difficult to convince corporate users that dual-use is a "bad" thing. What about implementing 2-factor authentication for your sensitive/confidential data. Users will most likely always "dual-use" passwords; implementing a token, biometric, or some other factor can eliminate this risk to an acceptable level.

Posted January 6, 2011 at 12:52 PM | Permalink | Reply

lspitzner

Ashley,
I fully agree. I think dual factor authentication is a wonderful thing. It solves a tremendous amount of risks in common password by taking the human factor out. The key though is making it simple to use. One trend that I think works well is how many organizations (such as banks) use mobile phones as the 2nd authentication factor.