Re: Education End Users about Passwords

steve.posick_at_advansol.com
Date: 12/10/03

  • Next message: Thompson, Jimi: "RE: Education End Users about Passwords"
    Date: Wed, 10 Dec 2003 09:01:45 -0500 (EST)
    To: pen-test@securityfocus.com
    
    

      From my experience it's usually not remembering strong passwords that is
    the problem, it's the policies.

      Many networks require strong passwords, good thing. Too many have
    policies that actually weaken their security by not taking
    human nature into consideration.

      Example, if policy requires that the users must use a password that
    consist of mixed case and at least one number and do not allow
    the user to reuse passwords, you have actually encouraged your users to
    write their passwords down.

      A solution is to allow the users to reuse the same password in a cyclic
    fashion directly corresponding to the failed password account
    lock settings. In other words, let users remember 3 strong passwords,
    lock the accounts if a wrong password has been entered 3
    times. This allows the user to remember their passwords and not have to
    write them down to do it.

      The most important and most overlooked aspect of security is human
    nature. You can't fight it, you need to work with it.

      I wish I had a nickel for every time I've gone into and office with bad
    password policies and said to the user "Your password is
    somewhere around here", waiving my arms around their desk and chair in a
    circular pattern and have them laughingly admit where it
    was.

    >
    >> 1. Pick a sentence that has meaning for you and that you will remember.
    >> i.e. I work at cox today.
    >> 2. All consonants (or all vowels) become UPPERCASE characters.
    >> 3. All vowels (or all consonants as it is the opposite of rule 2) become
    >> lower case characters.
    >> 4. Words like to and for become numbers.
    >> 5. Words like at and "and" become symbols (@ and &)
    >> 6. Add some character to the end like ! or #
    >
    > Agreed to a certain extent. Consider the following however; Cracker is on
    > a machine that he needs some serious information say for corporate
    > esionage purposes, and the information is vital to him. What makes you
    > think an experienced cracker wouldn't have the correct type of dictionary
    > file? It's as simple as sed 's/a/4/g;s/A/4/g;s/e/3/g;s/E/3/g' and so
    > forth.
    >
    > Substitutions? sed s'/i/\!/g', 's/^/./g', 's/$/./g' and so on.
    >
    >>
    >> Once they get this simple thing down, getting them to choose "strong"
    >> passwords becomes infinitely easier, because they now have a mnemonic
    >> device
    >> to recall the password - the primary end user complaint about using
    >> "strong"
    >> passwords. If they can remember it, they are also a lot less likely to
    >> use
    >> the nefarious sticky note. Then all you have to worry about is making
    >> sure
    >> that they know not to give it out over the phone, which frankly, is the
    >> easiest method of "cracking" a password.
    >>
    >> 2 cents,
    >>
    >> Jimi
    >
    > Disagree, most people stick with familiarity (cognitive dissonance) and
    > you can try to explain the situation a million times over but the sad fact
    > is most people will stick to their guns. What can you do as an admin/sec
    > engineer? One thing that I think corps. should do is, create some form of
    > quarterly meeting with their employees to explain security issues, e.g.;
    >
    > Post it notes
    > Bad passwords
    > Not locking out their machines
    > Paper based nightmares (using shredders)
    >
    > etc.
    >
    > Too much I could add and work calls.
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    > J. Oquendo
    > GPG Key ID 0x51F9D78D
    > Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D
    >
    > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D
    >
    > sil @ politrix . org http://www.politrix.org
    > sil @ infiltrated . net http://www.infiltrated.net
    >
    > "I watch gangster flicks and root for the bad guy
    > and turn it off before it ends because the bad guy dies"
    > 50 Cents - 'Assassins'
    >
    > This is a farce confidential disclaimer intended to make you
    > aware that even though this may be priveledged information,
    > being it will become Google cache in the future, my original
    > intentions of keeping this message restricted and/or private
    > are thrown out the door. If you have received this e-mail in
    > error, please enjoy this signature and destroy this message
    > by dousing it in gasoline.
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Thompson, Jimi: "RE: Education End Users about Passwords"

    Relevant Pages

    • Re: [fw-wiz] Security policy & setup for portable computers
      ... > out with two policies, one for "the creation of strong passwords, the ... > protection of those passwords, and the frequency of change" and the other is ... > policy that will be a reference in my security dept, since we have firewall, ... > in order not to introduce any vulnerability to our secure network. ...
      (Firewall-Wizards)
    • remove domain gp settings
      ... installing several software packages via SMS. ... The domain's security policies required strong passwords, ... When I go into the local security policy (logged ...
      (microsoft.public.windows.group_policy)
    • Re: how to change security settings
      ... "Specifies that the Windows password policies of the computer on which SQL ... Server is running should be enforced on this login." ... To be clear, I'm talking about the SQL passwords, not the Windows ...
      (microsoft.public.sqlserver.security)
    • Re: Passwords in Server 2003
      ... Thanks for the reply on how to sort the passwords out. ... and domain.local policies wil display ... > select group policy object ... > in Group policy object editor ...
      (microsoft.public.windows.server.active_directory)
    • RE: can group policy be reset to original defaults?
      ... Yes you can reset the domain policy to its defaults.. ... It will guide you on how to reset domain policies.. ... > changes passwords, but it never works. ...
      (microsoft.public.win2000.active_directory)