Chapter 7: Password Policy

 

 

This chapter will review password security and introduce a Password Policy. This chapter builds on the Enterprise Security Policy from Chapter 5, which referenced a Password Policy in the System Access Passwords section. We will review how a Password Policy fits within an Enterprise Architecture, the importance of password security, an overview of password cracking and conclude with an example Password Policy.

 

A Password Policy is an administrative security control that works together with other Enterprise Architecture security controls to provide layered security through the Enterprise. For example in Chapter 5, the Enterprise Security Policy defined how organizations educate their employees and business partners on approved system and data usage. The example Enterprise Security Policy in Chapter 5 referenced a Password Policy and an Acceptable Use Policy. Together these policies reduce risk by implementing layered security controls (defense in depth) through the Enterprise. A Password Policy is an important security control that provides front line security to an organization’s network because a poorly chosen password can result in the breach of its network and assets. Organizations that must comply with regulatory mandates, such as with classified information, a password policy violation could be considered a criminal offense.

 

Weak password security in a Terminal Server environment poses additional risk because anyone internally or externally with network access to a Terminal Server can display a Windows logon screen. The ability to display a Windows logon screen makes weak passwords and password cracking especially worrisome. If an intruder can view a Windows logon screen, password cracking software can be executed against user accounts or administrator accounts, the latter by design does not have an account lockout policy.

 

As discussed in Chapter 5, passwords are a very important part of information security and are an instrumental administrative security control used to protect user accounts and corporate assets. Intruders often gain access to systems by stealing or cracking a password and account name and then posing as that user. As such, all employees and business partners with access to an organization’s systems will follow the steps outlined in a Password Policy to select and secure their passwords.

 

Password Policies define password length, password construction, password duration, password hygiene and password compliance. Password length defines the minimum password length. Password construction defines the requirements on selecting a password to include the criteria in selecting a strong password that is hard to guess but easy to remember. Password duration defines how often a password is changed. Passwords can be changed at each logon, monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the frequency with which a password is used. The more times a password is used, the more chance there is of it being compromised. Password hygiene defines the use and management of passwords. An example of password hygiene would be not sharing a password or not saving a password on a piece of paper. Password compliance defines disciplinary actions for users that do not comply with the Password Policy.

 

List 7.1 shows common password vulnerabilities:

 

The point here is that mitigating weak passwords is one of the first steps to enhance the security posture of a network. Implementing a strong password policy is a necessary step in securing the Enterprise.

 

Password cracking is the technical method of recovering lost or unknown passwords that are stored on computers. A password cracker is an application that is used by administrators and hackers to guess unknown or forgotten passwords. Administrators generally use and, in many cases, automate password crackers to test for password compliance; in contrast, hackers try to gain user or root level access to a machine.

 

Most password cracking software focus on guessing passwords, not decrypting encrypted passwords.This approach is used because most contemporary encryption algorithms are one-way as there is no reverse process that will reveal a password in plain text. So guessing a password using a brute force or dictionary attack (explained below) is more efficient than trying to decrypt a password. Incidentally, the only way for an organization to audit password compliance is to test each and every user name and password by using a password cracking application. Most organizations sanction regular password compliance auditing, which explicitly permits auditing password complexity in order to check for passwords that are easily compromised and, when appropriate, help users recover forgotten passwords.

 

Please Note: Never run password recovery tools without explicit and preferably written permission from your employer or customer. Network and security administrators with the best intentions have been terminated for running password recovery tools without proper authority to do so.

 

The term password cracking is synonymous with password recovery. Over the years password cracking has transformed into a commercial password recovery market. A fantastic example of this transformation is the widely distributed, award-winning NT password cracking application L0phtCrack, which was originally developed by L0pht Heavy Industries. L0pht Heavy Industries was a hackers think tank founded in the early 1990s thatmerged in January 2000 with a startup computer security company named @stake. From a media standpoint, the merger was positioned as a transition of L0pht Heavy Industries, considered by the media as an illicit black hat group of hackers, to a licit white hat security company. Symantec announced its acquisition of @stake on September 16, 2004, and today L0phtCrack is a Symantec password recovery product sold under the name of @stake LC 5.

 

There are primarily two methods of password cracking: (i) social engineering, and (ii) password cracking. Social engineering means manipulating people to provide their user names and passwords. Password cracking uses software to automatically generate passwords in order to gain unauthorized access to computer systems. In the book The Art of Deception, Kevin Mitnick astutely notes that it is simply easier to trick a user into giving you his or her user name and password than expending time and computing resources performing password cracking! This statement emphasizes the importance of security awareness training and a Password Policy.

 

Tip: I would like to encourage you pick up The Art of Deception, and read it; and if necessary, reassess your organization’s security procedures accordingly.

 

Password crackers primary use two methods to identify correct passwords: brute-force and dictionary attacks. A brute force attack enters every possible combination of characters and numbers until the machine accepts one of the combinations as the correct password. A dictionary attack enters each word in the dictionary to guess the correct password. Most password crackers can search a hybrid of dictionary entries and numbers by using a variety of methods including parsing a file to help add numbers to the characters of a search. The ability to search a hybrid of dictionary entries and numbers can be very useful with corporations that require their users to include a number in their password. Despite the known risk of password attacks, user accounts with simple to guess or empty passwords remain exceptionally common, and good password policies are unfortunately far too rare, as is the enforcement of a password policy when one exists.

 

With password cracking, a goal of many hackers is to get the local or domain administrator account password on any machine they are able to access. Once hackers have an administrator’s password, they have the proverbial keys to the kingdom and, in most cases, can gain access to just about any other machine or device on the network. Passwords discovered on one machine frequently are reused on other machines, allowing an attacker to roam about with impunity with the appearance of being a legitimate corporate user. One of the common denominators of password cracking is that an attacker presumably already has some degree of access to the target machine or network, such as an employee, consultant or business partner.

 

List 7.2 shows the type of attacks that can provide an attacker with multiple passwords to authenticate to a system:

 

All of the above attacks can help an intruder find passwords to access systems, but a dictionary attack on an encrypted password file would more likely provide an attacker with multiple passwords that could be used to access other accounts and systems. Password sniffing can only provide an intruder with some encrypted passwords, provided that they can sniff the packets during a logon event. Dumpster diving consists largely of rummaging about through other’s trash looking for useful things that could provide a dumpster diver with user name and passwords if they are not properly protected.

 

The following is an example Password Policy from the SANS Security Policy Project. It starts with an overview section, purpose and scope and then delivers the password policy. This policy is intended for informational purposes only.

 

 

 

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of <Company Name> entire corporate network. As such, all <Company Name> employees (including contractors and vendors with access to <Company Name> systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

 

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords and the frequency of change.

 

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any <Company Name> facility, has access to the <Company Name> network, or stores any non-public <Company Name> information.

 

General

 

Passwords are used for various purposes at <Company Name>. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password and local router logins. Since very few systems have support for one-time tokens, (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.

 

Poor, weak passwords have the following characteristics:

 

Strong passwords have the following characteristics:

 

NOTE: Do not use either of these examples as passwords!

 

Do not use the same password for <Company Name> accounts as for other non-<Company Name> access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various <Company Name> access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account.

 

Do not share <Company Name> passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential <Company Name> information.

 

Here is a list of "don’ts":

 

 

If someone demands a password, refer them to this document or have them call someone in the Information Security Department.

 

Do not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger).

 

Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

 

Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four months.

 

If an account or password is suspected to have been compromised, report the incident to InfoSec and change all passwords.

 

Password cracking or guessing may be performed on a periodic or random basis by InfoSec or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

 

Application developers must ensure their programs contain the following security precautions. Applications:

 

Access to the <Company Name> Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

 

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.

 

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks."

 

A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:

 

"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

 

All of the rules above that apply to passwords apply to passphrase.

 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

 

This chapter introduced password security, highlighted password security in a Terminal Server environment and concluded with an example Password Policy.

 

 

The next chapter will review a sample tier 3 Terminal Server Standards policy that is used to define Enterprise wide Terminal Server standards.

 

The SANS Security Policy Project

FIPS PUB 112

Sample Generic Policy and High Level Procedures for Passwords and Access Forms

http://go.microsoft.com/fwlink/?LinkId=22206