Talk of Password Demise Greatly Exaggerated
There have been a lot of discussions lately about the security (or lack thereof) inherent in the use of passwords in IT security. We’re inundated with headlines like “We’re lousy at picking passwords” or “One more reason why passwords are no darn good”.
Many people in the “passwords aren’t secure” camp point to the fact that most users tend to lean on easy to remember, and often easy to crack, passwords. “12345”, “password”, and “iloveyou” are just a few of the common passwords used.
Another problem besieging password use: password cracking. Even a complex password consisting of letters, numbers and symbols can fall to a brute force, dictionary or pattern attack given enough time and computing power.
And then there is keylogging, recording every keystroke you make, rendering your password choice inconsequential.
The truth is, there is nothing wrong with using passwords for IT security. It is HOW they are implemented that needs to be managed.
So how do we, as infosec professionals, protect users from themselves? Start with education. Educate and train your users with tips and tricks. Some simple ones: teach them to exchange “o” for “0” and “a” for “@”. Suddenly “password” becomes “p@ssw0rd”. (Not super secure, but at least a step on the right direction.)
Next, enforce the use of strong passwords. Don’t allow users to pick weak passwords, instead require them to use letters, numbers, and symbols in their password. If the device you are using or administering has a strong password option, use it. Some devices even allow you to set parameters so that the password must be changed periodically. Users might complain, but policies like these are for their own good and the good of the organization as a whole.
There are a variety of password cracking techniques; Brute force, dictionary, pattern attacks, word list substitution, etc.
Brute force attacks require the systematic testing of every possible password. As such, they are both a time and resource consuming method of password cracking. Often, hackers will attempt dictionary attacks or pattern checking before resorting to a brute force attack.
All of these methods for password cracking can be countered by using systems or devices that can limit the number of invalid login attempts. For instance, after five or six invalid attempts the device locks out for 15-30 minutes. This simple solution can put a serious damper on any password cracking attempts, changing the time required to crack a password significantly. (As long as the password is complex… see above.)
Keylogging or keystroke logging tracks what is typed on a keyboard, leaving your passwords, account information and more viewable. Keeping antivirus definitions up to date can help detect the presence of some keylogging software. However, since keylogging software is often legitimate, it may go undetected by standard anti-virus programs. Specialized anti-keyloggers can be used; however, they still may not detect hardware based keylogging methods.
In the event a keylogger goes undetected, using a virtual keyboard can prevent the keylogger from recording your typing/keystrokes. Another method for restricting key stroke logging: Managing permissions for which users can install software on your network. Restrict software installation only to trusted administrators and power users to help prevent malicious software and apps from infiltrating your network.
As infosec professionals, it is our jobs to spread awareness of the dangers and educate users of how to properly setup and use passwords, encryption and any other security systems.
Overall criminals and blackhat hackers have a variety of tools at their disposal to overcome passwords and encryption. But this doesn’t mean that passwords are obsolete. On the contrary, if used properly they are still incredibly effective at protecting our data.