I have commented before on numeric passwords, and how they can and cannot be used securely. Apparently, not everyone has been reading my blog. Developer Kevin Burke has apparently discovered a phone company that limited customer passwords to a six-digit code, with only the numbers 0-9 as options. Combined with not having any failed password lockouts, nor requiring any other information besides username (your phone number) and the six-digit password, this is a recipe for disaster.
The list of account compromises over the past week is almost too long to list, and the numbers of verified or estimated compromised accounts has reached ridiculous numbers. With the media spotlight on these current companies’ compromises, we’ll likely get more details on the security weaknesses, outright failures, and more from the narcissistic vulnerability pimps taking credit for exposing those security problems.
Aside from the obvious of changing passwords, what can you and your organization do?
I won’t prognosticate on the list of best practices that may have been violated in these compromises, but they will be reported following the long, detailed, and expensive investigations in coming weeks and months, because most of them will be well-known but for one reason or another not practiced. The media reporting and the company’s public statements will cover those, and they will likely be worth a review for any significant points. We can let them tell the story, again.
Instead let’s focus on some things that people may not know or understand that can actually improve your security around these incidents. We highlighted a couple of these practices in the 2011 Annual Security Report, and more recently in the Emerging Threats Briefing at Cisco Live 2012.
First, let’s help our customers, users, and organizations. Given the opportunity, many people will take the simplest and easiest way. In the case of passwords, that means they will use their birthday, username, “password”, “123456”, and so on. We’ll see these lists of bad passwords in coming weeks too. It’s human nature, and too much work to try and remember all those passwords, right? Which leads to the second point of people that use the same password on multiple accounts (more on this shortly). As security practitioners, professionals,…we too often are setting up our users and organizations to fail. We have to do better, and here’s how. Every security control must have technical controls that enforce and monitor that security control, or we have no idea if it is effective. In the case of passwords, that means creating policies, security controls, and technical controls that require a user to create a strong password and change it regularly. If we let a user create a password of “123456”, they have done as should be expected, and we have failed. Even with the best account credentials, the accounts have to be monitored for suspicious activity with technical controls to alert security teams and users when, for example, a password is changed. For a good reference list see: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics. Note the account activity items on the list: Locked out accounts, failed logins, dormant accounts, password aging…
LinkedIn is believed to have suffered a password hash breach (updated: LinkedIn has confirmed the breach), thanks to a forum post that quickly caught the attention of security researchers on Twitter and other social outlets. The posted archive contained a 270+ MB text file of SHA-1 hashes, and forum discussions suggested that it was related to the popular business-centric social site.
At the moment, little is known and speculation is running wild. LinkedIn has not finished investigating whether they have been breached, however many security pros are confirming for the media that the SHA-1 hashes of their passwords are found in the file. The file is constructed in a hash-per-line fashion, with no evident plaintext that suggests it is anything other than passwords (such as usernames, etc.). However, it’s possible that anyone gaining the original access to hashes had or has access to additional details.
I obtained a copy of the hash list, produced a SHA-1 hash of my old LinkedIn password, and did indeed find it in the list. I have also spot-checked several other hashes posted by security pros on Twitter, and have found them as well. Given the nature of my own password (16 random characters comprised of A-Z, a-z, and 0-9) the likelihood that my SHA-1 hash of my password (that was unique to LinkedIn) would be present in a file that did NOT come (at least in part) from a source that had access to hashes of LinkedIn passwords is statistically impossible.
A password manager can encourage users to adopt unbreakable passwords
As users, we know that we should use complex, secure passwords that aren’t easily guessed words from the dictionary like ”admin” or personal dates to protect our systems. Nonsensical words and phrases that substitute digits and symbols for letters, such as ”45Monk3y t1m3 fun!,” are the most secure. But we also know how difficult it can be to create several unique, strong passwords—and even harder to remember them all.
To encourage employees to create passwords that are hard to crack but easily remembered and used, you can provide them with a password management system. Password management is both a standard company-wide policy for developing passwords, and, for many companies, a password manager application you add to your security arsenal as part of your small business security policy.
Shore up your organization’s password security by following these easy guidelines
Dozens of times every day, your employees perform a simple, yet crucial, task: They enter their passwords to log in to their computers, your local network, and the Internet. Just a few brief keystrokes stand between your company’s network and cybercriminals, identity thieves, and disgruntled employees. Unless employees’ passwords are complex, they’re easily guessed by experienced attackers or by their password-breaking computers. Creating meaningful and secure passwords isn’t as difficult as many people think, and it’s critical to the security of your small business network.