Security

Has the time arrived for all holdouts to adopt strong passwords?

Are strong passwords still the best defense, or is a layered controls framework, including intrusion or extrusion response, sufficient to effect strong access control?

I’ve long been a proponent of not imposing strong login passwords on business users.  There are several reasons for this, not the least is user willingness to write down complex passwords and post them where conveniently accessible--by anyone.  This behavior defeats strong passwords every time.

Now there might be a reason to reconsider, maybe...

A complex computer worm has infected corporate networks and has affected more than 10 million computers this week, experts say. Infecting computers in the U.S., Europe and Asia, the Downadup worm - which focuses on Microsoft Windows - scans company networks trying to guess passwords in order to access corporate networks, experts found. If the password is guessed, the worm can then infect a computer and the entire network of servers it is connected to.

As a result, experts are calling for all computer users to install a patch from Microsoft and to use long, difficult passwords that cannot be deciphered.

Source: Security patch and passwords defend against the Downadup worm, Help Net Security, 18 January 2009

Downadup (a.k.a. Conficker) exploits a Windows vulnerability patched in October (MS08-067) and is rated as LOW risk by Symantec.  According to F-Secure:

It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:

  1. Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed. 
  2. Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords:  (See F-Secure site for list).

The controllers of Downadup don’t seem to want anything more than payment for forcing users to install rogue anti-virus software.  However, infected machines (conservatively, between 500,000 and 1 million at this time) can also be forced to participate in spamming, or worse.

Like most exploits that take advantage of both system and configuration weaknesses, there are several ways an organization can protect its network from worms like Downadup.

  1. Patch, patch, patch.  Although most organizations like to test before applying a patch, how long does it take?  Or rather, how long should it take for a network manager to apply a patch for a vulnerability so critical that Microsoft issued MS08-67 outside its normal patch cycle?  Effective patch management processes should enable a quick response when critical security patches are released.  And you might not have to patch 100 percent of your systems to achieve a reasonable level of protection.  See Herd immunity and security patching: How much patching is enough?   Don't allow the excuse that every system can't be patched as a reason to ignore patching altogether.
  2. Be sure to set password policies that protect against internal and external attempts to bypass system access controls, including:
  3. Segment your network and control traffic.  Limit the number of systems, including servers, an infected desktop or server can reach.
  4. Implement log management to quickly detect anomalous behavior.
  5. Implement, manage, and monitor anti-virus protection at the desktop level and for email at the perimeter and on email servers.
  6. Monitor for extrusion.
  7. Document and practice an incident response process.

There are other control layers to consider, but these should be very effective in preventing a worm like Downadup from performing as designed after gaining a foothold in your network.  In any case, I still believe strong passwords are no substitute for patching and a solid layered security controls framework.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

20 comments
unhappyuser
unhappyuser

Ahh just use their DNA to give them access to the computer. It wouldn't work for bald guys though.......

theneckmaster
theneckmaster

I think if you manage to convince everyone on your network to use strong passwords and not to write them down or tell it to someone you are quite a persuader... It's practically impossible, and it's enough that one user is a bit more sloppy in this sense for a hacker or a worm to break in. Oh! And if someone 'really' wants to break into a network, he will do it, and won't leave a single trace. A strong password policy is very healthy indeed and it offers some protection against intrusion, but there are many far more exploited vulnerabilities.

daileyml
daileyml

"A strong password policy is very healthy indeed and it offers some protection against intrusion, but there are many far more exploited vulnerabilities." Agreed, but NOT enforcing strong password requirements opens the door to legal liability. If confidential data is compromised and the breach can be directly attributed to a lax security posture the organization can become financially liable for the damage. Passwords are the basis for all enterprise security and must be treated with importance. The old "users will just write them down" line no longer applies; that is an ancient and worn out excuse used by lazy admins. With existing privacy and security legislation and regulation users need to be educated to the importance of password policies. Users who fail to abide by the policies need to be held accountable. -Mike D http://www.daileymuse.com

NotSoChiGuy
NotSoChiGuy

Not only does not having a strong security policy in place open the door to all sorts of liability suits should a breach occur; it is becoming increasingly necessary to have stringent policies in place and enforced before various forms of partnerships can be finalized. I recently worked on a security sweep that was due to a new deal my employer had with a separate agency. Had we not been enforcing strong passwords, laptop encryption and so on, the deal would have died, and we would be out millions in revenue. Strong security is no longer a must-have in keeping safe, it is becoming a must-have in order to conduct business. If users can't understand this, it seems to me like a good time to make a call to HR (training, enforcement, term, whatever it takes).

StealthWiFi
StealthWiFi

With proper education and not coping out saying oh well you must be persuasive or any crap like that but actaully showing your users you care about their data and job security (maybe you dont, sucks to be you then) then they will listen and get better. Software will always have a flaw, that's like why pick the lock to the house when you can just break open a window. But why leave your door wide open or use a suitecase lock on the door... Follow up with a dovermen on the other side of the window and your good to go LOL

shardeth-15902278
shardeth-15902278

When enforcing a common strong password policy, you actually are telling the badguys which limited set of strong passwords to test against (ie for MS, it is a common word, first letter capitalized, and sufficient numbers at the end to make it 8 characters long, or one number if it is already 8 characters long - giving a difficulty factor increase of 10 to 100). When you adopt a strong password policy, you increase the likelihood that 1) the user will be careless in protecting that password 2) The user will use the same password on every system (including the various social networking sites, e-biz sites etc... Thus increasing the likelihood that it will be compromised) As I read the article, I don't see that strong passwords are really the issue here. The problems that lead to exploitation are a software flaw, a look-up table of common passwords, and users logging in with admin privileges. SO rather than "strong" passwords 1. go with LONG passwords. This increases crack time more than enforced pseudo-strong-ness, and reduces the common words problem as or more effectively. 2. Patch systems 3. Monitor for password guessing, and act on it. 4. Educate and empower users (but don't let 'em log in as admin Don't get me wrong I am not against strong passwords. I have converted a number of people to the use of randomly generated passwords stored in a password database protected with a passphrase. I just don't think strong password enforcement is an effective tool.

the_grench
the_grench

In dealing with MS, you can turn off the LM hashes via policy which would stop most of these sort of attempts even without necessarily enforcing strong passwords. ANother trick is to use passwords or phrases that are 15 characters are longer. This has the same effect as disabling LM hashes. Combine this with the 94 easily typable english characters and you have 15^94 possible variations to brute force. Further this with a password that changes frequently and you have a relatively strong policy. For users, they just need a phrase, "I like to eat d0ughnut$". Easy to remember and probably true. For shared and privileged accounts like the built-in admin, a tool is required to successfully change these passwords on a regular basis. Lieberman Software offers such as tool, RPM. I use and since I started using it my incidents of stuff like the above has pretty well dropped off the radar.

StealthWiFi
StealthWiFi

I find it irresponsible for any competent tech not to enforce strong passwords. Now the password does not have to be 28 characters containing no repeating letters or symbols, just be generally strong. All the software and hardware security measures you put in place will eventually fail or be compromised, it almost always boils down to passwords as your last line of defense. If the Virus/Worm/Trojan... gets in you already have a problem, why not do everything to make it that much harder for your new problem to spread. I have my users use strong passwords. With proper training and explaining to them why it's important not to write it down and why the measures are in place and also explaining how it will affect them if the systems get compromised, they are very happy to be included and trusted in the security of the company (it is after all their livelihood too) If you can get your users on board they can help each other not to accidently write it down, and also not be embarrassed if they forget it and have me reset it, I try and thank them for coming to me and make them feel as comfortable as possible so they will ask for the help when they need it and know I will not be little them or report them in any way. Cheers,

unhappyuser
unhappyuser

Do you actually think they don't write them down? You must be blessed with perfect users if they don't. Wherever I have worked there has always been that small group that writes them down, sometimes in plain sight! I agree that we must do what we can to protect our networks and systems but being too strict can have a worse effect. Anyone with a teenager knows what I'm talking about! EMD

daileyml
daileyml

I second that opinion. For someone with a security background to ignore the sound reasoning behind complex passwords is purely irresponsible; doubly so for someone with a CISSP and holding a security position in a healthcare-related organization. When your organization has to disclose a breach in confidential customer/patient data due to lax password policies you can explain that you were only trying to prevent passwords from being written down on Post-It notes. If users are not following company policy that becomes an administrative/HR issue, not a security issue. The job of the security team is to protect the data by all reasonable means. Strong passwords are not only reasonable, but mandatory when following standard security criteria such as Sarbanes-Oxley. I'd recommand requesting an internal audit of your organizations security practices to obtain a second opinion on your password policies. -Mike D http://www.daileymuse.com

Dr Dij
Dr Dij

multi-factor authentication WITHOUT strong passwords, should have been option on poll Other people are right that weak passwords can be next to useless. But SSO is a risk also with weak passwords. So if you use multi-factor authentication the existing password policy is much more likely to actually secure your system.

Tony Hopkinson
Tony Hopkinson

pre-requisite to succesfully implement strong passwords Single sign on. Personally I think we should move to pass phrases nearly as hard to guess in fact with a bit of thought much harder, but far easier to remember.

StealthWiFi
StealthWiFi

Is the death of security. Passphrases are easier to break with the likes of facebook and such making social engineering that much easier.

Tony Hopkinson
Tony Hopkinson

three consecutive fails and you are out? What about who is allowed to log in from where and when. I mean if you are going down strong passwords atre better, lets have strong usernames as well? Just seems to me, they get latched on to, to cover up other gaping holes in security... If we are going for mix and match, strong for systems where account lock isn't possible practical and they are 'automatic' logons, fine. For your everyday user, I just down see it, they'll circumvent the mechanism and quite possibly leave you less secure.

apotheon
apotheon

"[i]Given strong passwords = people writing them down Then strong passwords More secure.[/i]" That could mean better security under certain circumstances, even if not under others. For instance, stronger passwords would protect better against remote attacks that rely on cracking passwords (such as the Conficker/Downadup worm), even if writing them down makes the system more vulnerable against in-person violation of security policy. "[i]Even if you are really nice about it in support, and you hand out medals to people who have forgotten theirs, there's still the productivity downside.[/i]" The only way to do away with that is to do away with passwords entirely. "[i]The thing I like about passphrases is they give you harder to guess, they aren't harder to remember, and with something as simple as a word count minimum and word/pattern repeat history, stop dumbass passwords like the wife's name or some such.[/i]" A pass[b]word[/b] and a pass[b]phrase[/b] are essentially the same thing, in terms of implementation, unless your implementation of an authentication mechanism really sucks. All that differs is the way you think about it. "[i]I've been on strong passwords for two years now, I've forgotten it twice I think. Hilariously the support advice in this situation is to email them for a reset.[/i]" They're doing it wrong.

Tony Hopkinson
Tony Hopkinson

Security has got to be a holistic approach though. Given strong passwords = people writing them down Then strong passwords More secure. So if you want the benefits of them you have to address the cons. Even if you are really nice about it in support, and you hand out medals to people who have forgotten theirs, there's still the productivity downside. The thing I like about passphrases is they give you harder to guess, they aren't harder to remember, and with something as simple as a word count minimum and word/pattern repeat history, stop dumbass passwords like the wife's name or some such. Not a silver bullet, but one which stops the target without blowing away the innocent bystander behind them. I've been on strong passwords for two years now, I've forgotten it twice I think. Hilariously the support advice in this situation is to email them for a reset. :p

StealthWiFi
StealthWiFi

I aggree the death of security of is onset by the magic bullet theory, there is only one way to totaly secure a computer I know of: Unplug Place in box Place box in safe Place safe in concrete Add chains Dropp in deepest part of ocean hope sub technology doesn't advance

Tony Hopkinson
Tony Hopkinson

aside from education. If some ignorant pratt falls for that, doesn't matter whether it's single character or a 64 minimal repeat must contain mixed case, numbers and symbols. The harder is a password is to remember the more likely some one is going to write it down. The more they have, even more likely. Password Safe, is single sign on. Biometrics, user, and logon location heuristsics, accurate and on going privilege separation, privilege violation monitoring. Any of these should be pushed before strong passwords. In practice, net sum of zero in my experience. I know loads of people who either use a simple mnemonic like the name or simple transposition of some 'magic' word. If I was to tell my passphrases, were say based on the last book I read, how would that help you? what if I tell you the book. It's Judas unchained By Peter F Hamilton.... I can wait until you've read it.... Mind you by then I'll have read several more by then, which one was I reading, when whatever password I had expired? The death of security is people ambling about looking for cheap silver bullets.

apotheon
apotheon

. . . to say nothing of the fact that compromising one site might provide hints on how to compromise other sites.

Dumphrey
Dumphrey

and its really not hard to come up with a long, complex phrase that mixes case, number, and special characters. While not as "mixed" as a concentrated 12 character password, the extra bit length makes brute force nearly impossible with a semi-nonsense phrase (Finnegan's Wake FTW).

Editor's Picks