Passwords have been part of IT since long before the age of the desktop PC. However, now more than ever, systems administrators need to re-examine their password security policies to remain effective against modern programs and computers that can crack weak passwords in minutes.
Basic eight-character passwords can now be cracked by consumer password recovery software in well under an hour. More experienced hackers armed with rainbow tables and other free tools can crack 14-character passwords – including alpha-numeric passwords with special characters – in less than three minutes. To stay one step ahead, systems administrators must encourage users to adopt longer, stronger passphrases.
Adding numeric characters to a password and creating a passphrase – more of a sequence of words like “IamtheKeeper0fthi$Computer!” – can significantly increase the time needed by the best cracking software, running on the latest multi-processor machine, to the point where brute force hacking of passphrases becomes impractical.
Systems administrators must also mandate that users update their passphrases on a regular basis. These updates can provide some measure of protection should a passphrase ever be compromised – say, in a hotel, an airport, or even at home on a work laptop. It’s also advisable to configure rules to prevent users from cycling through old, previously used passphrases. Best practices stipulate setting passphrases to expire within 60 days or less, and require minimum length, minimum age, and the use of special characters.
Okay, but what about the less obvious rules?
For Windows users, systems administrators should set the Group Policy to disable LANMan hashes. LANMan hashes are notoriously easy to crack using brute force methods or rainbow tables with a pre-computed list of hashes. The policy for this is located under \computer configuration\windows settings\security settings\local policies\security options\network security, It can be configured by changing the setting to ’do not store LAN manager has value on network password change = ENABLED.’
It’s also prudent to set a minimum passphrase length of 15 characters, as this is the critical length where, regardless of other policies, LANMan hashes cannot exist in Windows systems.
Systems administrators should also set all in-built administrator accounts (e.g. administrator, root, sa, sys, etc.) to have frequently updated passphrases that are unique to each account. This practice breaks the peer-to-peer model of the Windows network and ensures that a breach of one system’s administrator password does not lead to the compromise of any other systems.
Also keep in mind that there are scenarios – such as restarting the computer in safe-mode – when disabled administrator accounts can be re-activated without user intervention. Therefore it’s essential to continuously audit all “super user” accounts in such a way that unusual activity is quickly discovered and remediated.
Fortunately, privileged identity management products are available to help you continuously track, secure and audit the “super user” credentials required for administrator logins, application-to-application transactions and highly privileged services.
What specific tips can you give end users?
- Don’t include easily-guessed information in your passwords such as birthdays or family and pet names. Also, don’t use easily guessed words or common words such as `password’ and simply replace characters such as “a” with an “@” or “o” with a zero. Hackers know this strategy and their software knows it too.
- Don’t use the same passphrase for multiple logins – and in particular don’t mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.
- Never give anyone – including IT staff – your password. If a systems administrator truly needs your passphrase, change it before disclosing it, then change it back when he is done with his work. And make sure you’re present while they’re using your account.
And then there are the not-so-obvious tips…
- Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help protect your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.
- Don’t allow browsers to store your passphrases for you, because not all browsers store your logins in a secure fashion.
- Lastly, never configure a computer to automatically log you on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations. This mistake can give even the most amateurish of hackers access to your system and knowledge of your passphrase – a dangerous combination.
Effective password security is often said to be a “state of mind,” and I’ve heard words such as “holistic” used to describe the process.
In truth, all that is needed to create a more secure IT environment is the right set of automated building blocks – security policies – that are enforced by automated systems, audited and reviewed to account for current and future security threats. This decreases the likelihood of any security weaknesses being overlooked, and increases the odds of you being alerted to any unusual activity.
What are your strategies for eliminating weak passwords? Visit the Identity Week blog to keep track of current news and trends in IT security.