IT - Password Control - Deficiencies 1043

  • Great discussion.
    I’m currently a sys admin and spend a lot of my time resetting passwords because user forget them. I’ve also went to users desks and noticed that they have a folder with all their passwords in them.
    I agree that one of the biggest steps is teaching users how to create solid passwords. The problem is, many users can’t even remember the password they created (i.e. ilovemaria) or something simple like this.
    When I used to work at a large software company, it taught us to make passwords that could be remembered using phrases.
    For example,
    Let’s say you love investing and sox. You could have a phrase like ‘Xtreme Loves Sarbanes and Sox while in the sun’ … this password would end up being Xl54w1Ts or something similar. The password is strong and somewhat easy to remember if you force the user to repeat it a few times. Hopefully, in the end the user will remember this method and it will also help them remember their password.
    I haven’t done this for other users due to my own organizations negligence in their password policy, but in my previous organization this worked very well.
    On a tangent, what does everyone use to store their sys admin passwords? Passwords such as root access to *NIX boxes, sys admin level resp. in Oracle, etc?
    Right now, my organization uses a VERY insecure method … I’m scared to even say the method. In my previous organization, we used some kind of program that had several authentication levels, but was very costly.
    Perhaps someone knows an open source application that can be run in a Windows environment that will achieve the same thing I’m looking for?

  • Hi Don – I agree the good information shared in your excellent post 🙂
    Thankfully, our admins at work require strong password settings in every environment where it can be easily implemented. Better yet, we’ve been moving to SecureID for 2 factor authentication for remote workers.
    While 2-Factor authentication is more complicated for the users and fairly expensive – it’s far better to put a strong lock on your corporate gates , than one that can be picked eventually by some of the more sophisticated password cracking tools out there (e.g., RainbowCrack, LophtCrack, etc)
    In my past experiences as an IT security professional, I’ve performed Network Penetration testing including password testing. In one testing case, even a complex 14 character password became ‘clear text’ after running a cracking tool for over a week (as we even gained access to the NT SAM file to help facilitate this).

  • Hi Harry,
    Two factor authentication has several advantages. The advantage of reducing complexity of each factor helps users manage the solution. Further, the ability to respond to evidence that one factor may be broken is a solid security advantage. To preserve the advantages of SecureID, keep careful accounting of your tokens.
    Internet freeware exists that can synchronize with a borrowed token to predict its sequence. This came about when some of the SecureID server code was reverse engineered sometime after 1992. To my knowledge, one freeware tool has used a point and click GUI to synchronize with tokens for several years now.
    In practice, SecureID tokens work rather well. User awareness training to not use post-its to stick on their second key to the SecureID is effective. When users learn of the risk of borrowing a SecureID, they become appropriately protective. The main risk is co-worker impersonation. Keys with SecureID tokens get left on desks unattended for 15 - 45 minute time windows. Attack software can run on portable PDAs. So long as the second key is not captured, security remains effective.
    Best Wishes,

  • Novell Single Sign On tool:
    In standalone mode the tool can use an AES encrypted file to store passwords. As the items are reversibly encrypted, user hints are possible. Further, a master password to enter the utility substantially reduces the passwords that must be remembered.
    The main risk with such solutions is control of the user interaction with the tool. In Novell’s case, the tool may have my web banking user ID and password in it. Then, an unwanted user of my desktop may use my web browser to reach my bank. The tool’s helpful ways give up too much access through automated logon to my bank. Then, my money is in real trouble; a bad guy could impersonate me to my bank.
    A less technological solution is to have a reversibly encrypted password hint file. Then, capture of this file or even decryption will not give out the passwords themselves. In most cases, a small hint will lead to password remembrance.
    The user can then give boring tag names for passwords and match them with password hints. In this way, a user’s day timer will not give up both account names and passwords but only account names and password tag names. Even if the hint file is also captured and decrypted, the attacker then only has a map of account names and password hints.
    I admit the solution is not perfect, but management of 200 or more privileged IDs can be a tough game for administrators.
    Please let me know if you have better solutions. I am all ears.
    Best Wishes,
    Don Turnblade

  • More on passwords - copy of blog post below
    Security is only as strong as it’s weakest link and this ISC article shares some good awareness on the need for strong passwords. While companies and home users have strengthened security with firewalls, AV protection, and other tools, a weak easy-to-guess password can let the bad guys right into the front door.
    ISC Article: Remote Password Guessing - Concerns, Observations, Recommendations
    Please paste to browser - no www needed)
    Always use a strong password (e.g., includes at least one letter, number, upper case letter, special character) for the best level of protection.
    Microsoft - How to Create Strong Passwords
    Please paste to browser and add www
    Microsoft - Password Strength Checking Facility
    Please paste to browser and add www

  • I’ve read the threads for password resets but I would like to know what the Sarbox states regarding specific admin accounts (Oracle DBA SYS and SYSTEM accounts) and if their are any wavers (derogations) to this. Is it possible for a company to not activate the logon and logoff audits in Oracle and therefore waver this also? If so, I must assume that a company has justifying evidence regarding this decision where if something does happen, this document would be proof against them as having wavered their right to defend in court (worst case scenario).

  • I would like to know what the Sarbox states regarding specific admin accounts (Oracle DBA SYS and SYSTEM accounts) and if their are any wavers (derogations) to this.
    Sarbox states absolutely nothing about this.
    One needs to apply judgement within a methodolgy that supports your system of internal control.

  • Hi - I agree with Denis, as SOX doesn’t cover specifics like password settings at a granuluar level. SOX 404 requires management to ascertain their IT financial systems, security, and related workflows using a risk management approach, that is complemented using controls testing.
    However, many external auditors use COBIT 4 standards to gauge SOX 404 compliancy and this document is available as a free download.
    Free copy of COBIT 4 by registering

  • simulation credit auto [/url]
    Thanks harrywaldron for the link. It worked well 😉

  • The time it takes to crack a password depends on many factors:

    1. is a human manually typing in the passwords or is a program automatically doing it
    2. are the passwords typed into the application input window that the password protects or do you have access to the encrypted file that stores the users’ passwords and know the encryption or hash algorythm
    3. the automatically enforced password rules for minimum length and required diversity of passwords (lower case, upper case, numbers, special characters
    4. the fact that users tend to use passwords that they can easily remember so that cracking programs can use dictionaries and reduce the number of combinations that are actually used in practice.
    5. after how many unsuccessful password attempts in a given time period a user account is blocked for further attempts
      If a cracking program needs to simulate keystrokes being typed in an application and if the system limits the speed of processing such keystrokes (which can be much slower than the raw processing power of the CPU) then your cracking time will increase.
      Point number five is actually the most important one if the cracker does not have access to the enrypted password file. If the number of login attempts until blocking is three and if the investigative process to unblock user accounts involves contacting the user and verifying that it was him that made the unsuccessful attempts, then cracking has almost no chance unless passwords are extremely weak.

Log in to reply