Let’s face it; we all hate passwords! I have to keep track of over 300 of these dastardly little buggers to help me access everything from e-mail to bank statements to my IRS tax returns. Practically everything in today’s computerized society is “protected” by them despite the fact that they represent one of the biggest sources of vulnerability.
Believe it or not, the picture (inset) shows an actual password log book that I recently picked up in the “bargain” section of a national book store chain. The pages are formatted like an “old-school” (as my kids would say) address book with room to enter hundreds of website passwords, as well as bank account information and wireless network keys. I was initially intending to remove the sticker indicating that it was a clearance item, but then I was encouraged by the possibility that it was a clearance item because it was such a horribly bad concept that people had refused to buy it. I keep it on my desk as a reminder that there are people out there that think writing down a password is okay.
I prefer to use a password management application. Secured by one single “master” password, the application I use maintains an encrypted database containing the private information needed to access websites and password-protected applications. I also use it to store other important-yet-private information such as software license codes, passport numbers, and credit card details in case I happen to lose my wallet. The biggest risk with this type of application is that it’ll become compromised and expose all of my other passwords. However, I feel it’s a justifiable risk as I’m able to generate far stronger passwords that have to be neither meaningful nor memorable. The reality is that my credentials are far more likely to be attacked online than via a database encrypted using a 256-bit key stored on a hardware-encrypted USB drive—a device that is more likely to be reused or discarded if lost or stolen, than it is to fall into the hands of some unfriendly foreign government!
The recent exposure of more than six million hashed passwords from LinkedIn, an online community, as well as similar events at eHarmony and Last.fm, has renewed a lively debate about the validity, storage, and protection of passwords.
Users often do a horrible job of creating passwords. We use the names of our kids, our favorite football team, or a keyword related to our hobbies. We complain vehemently if we’re told to change our password once we’ve memorized it, and we grumble when our choice of password is rejected due to some “crazy requirement” to include a digit or a special character. Forcing users to create complex passwords increases the risk that they’ll write them down for all the world to see see. (Hiding the post-it note under your keyboard does not count as multi-factor authentication!)
That doesn’t explain why fraudsters work so hard to steal user names and passwords to innocuous websites such as Facebook or LinkedIn. There’s certainly not much direct financial gain to be had from hacking a relationship status or employment affiliation. Instead it exposes one of the biggest problems with passwords: users tend to reuse the same one!
While reuse eliminates the burden of memorizing multiple user names and passwords, it means that the integrity of those credentials is influenced by more than one company’s protection policies. In other words, the integrity of an online banking password is no longer based solely on the regulated protection controls implemented by the financial institution. Now, companies operating far less secure websites—sites that might not even exist within the same legal jurisdiction, and that don’t receive any regulatory oversight—are the keepers of this secret information. If any of those companies are compromised, the integrity of the online banking password is also compromised.
Personal and social media websites often reveal intimate secrets about the owner. Accessing information that I call “but only my friends would know that” allows criminals to focus their attacks. Most of us would never respond to a Nigerian who asks us to take custody of his fortune. The blatant typos and the absurd backstory that these e-mails contain are quite deliberate; weeding out all but the most gullible. An insider e-mail that originates from a friend, family member, or organization that we have indicated that we “like” is more likely to make us click the link to the hilarious new YouTube video or new credit card policy disclosure, or to open the photo attachment of a high school classmate’s new baby (thereby installing additional password malware).
Most of us can differentiate between the (lack of) importance of personal social media sites and critical corporate data. However, if we use the same password on LinkedIn and our corporate VPN, it doesn’t take a hacking genius to get from one place to the other. And access to the latter could lead to access of critical IBM i data.
IBM i enjoys a stronger, more tightly integrated security infrastructure than most other server platforms. Passwords are stored using a one-way hash and cannot be extracted from the machine into a file. This prevents offline “cracking” attempts such as those LinkedIn experienced. Several releases back, IBM i enhanced the System Service Tools (SST) environment to require a user to supply credentials before they can access this critical hardware facility. SST credentials are maintained separately from the legacy profile information to prevent access by powerful users.
IBM i contains a wealth of password management features and can monitor activities surrounding user credentials and sign-on. Starting with v6.1, if an administrator assigns a password that contravenes the server’s password rules, an entry will be logged in the security audit journal. In addition, administrators can now define the interval a user must wait between password changes to prevent them from simply cycling back to the original, expired one. HelpSystems' security solutions enhance these base functions by reporting on the compliance of system values against a mandated baseline, and provides real-time awareness to password and sign-on violations.
Ultimately, the responsibility of effective password management is shared equally between the operating system, security administrators, and end users. Any one of these can weaken the value added by the other two. IBM i’s world-class integrity features are seriously undermined when a security officer permits the use of one-character passwords, assigns default passwords, or doesn’t force users to occasionally change their passwords. These textbook examples may appear exaggerated, but our annual State of IBM i Security Study identifies that all three of these practices are still happening today!
Much of the vulnerability surrounding passwords can be reduced through education and enforcement. Provide users with tips and techniques about how to create strong passwords, and why it’s critical to prevent cross-contamination between passwords used for different purposes. Leverage the operating system’s own controls to define rules that support strong passwords, and deploy tools like Powertech Interact and Compliance Monitor to alert you when there are anomalies and Password Self Help to enhance your password security while improving productivity for your users and your IT team.
To summarize, here are a few tips regarding passwords:
- Establish and enforce a policy for strong passwords.
- Don’t allow administrators to circumvent corporate password policies.
- Create unique passwords for each purpose to prevent cross-contamination.
- Encourage users to use passphrases (or mnemonics of passphrases).
- Change passwords on a frequent basis (at least every 60-90 days).
- Make passwords hard to guess and, yes, hard to remember (see #7).
- Utilize a password manager (but plan for the possible loss of that password vault).
- Never disclose your password; legitimate companies will never ask for it!
- Educate users about what constitutes a “strong” password and why it’s important.
- Do NOT use an Internet log book from the bargain bin at your book store.