Passwords have been the security standard for thousands of years, ever since they replaced biometrics as the preferred method of authentication.
Biometrics? That’s right. From pre-historic times access to secure sites (food/money storage, military camps, etc.) was biometrically controlled – the guard either recognized you or didn’t. If he recognized you and was aware that you had clearance then you’d be allowed access. Otherwise, you might get run-thru with a sword.
But as the population needing access to secure sites increased, it was no longer possible for every guard to know every authorized person. So the password was invented, and – try as we might – it’s still the most popular way to gain access to secure sites.
I’ve been writing about – and railing against – passwords for far too long now. Back in 2006 I ranted at the University of Pennsylvania for their then new policy of forcing users to change passwords annually! Then in 2009, I castigated the US National Institute for Standards and Technology for publishing "Guide to enterprise password management."
Every identity and security guru worth his salt has at one time or another (and often more frequently) said that: 1) you should stop using username/password as an authentication method; and 2) if you must use passwords, make sure they are “strong” passwords.
There are two components to strengthening passwords:
- Length - make your passwords long with eight or more characters.
- Complexity - include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."
- password
- 123456
- 12345678
- qwerty
- abc123
- monkey
- 1234567
- letmein
- trustno1
- dragon
AS a side note, security expert Bruce Schneier reported in 2006 that among the 20 most popular passwords on MySpace.com were “monkey” and “monkey1”. I’ve only checked English language passwords, but I do wonder if among the top 20 German passwords we can find “affe” and “affe1”.
It is evident that users do not want to give up using passwords. Nor, for that matter, do most application and service programmers. It’s also evident that users avoid strong passwords. And when they are forced to use strong passwords (or have them automatically generated), anecdotal evidence shows that the users will write them down and keep them close by their keyboard (or other input devices).
So what can we do?
For years I used a browser add-in called “Sxipper,” developed by Dick Hardt who was a co-founder of OpenID. Sxipper was not only a tool to remember usernames and passwords (as well as all the details needed to fill out forms) but was also a password generator, creating randomized groupings of letters, numerals and other characters that were well past the ability of most users to remember. But, of course, they didn’t need to remember them – Sxipper did it for them. Sxipper could save a file containing all of your data to local storage (in case there was ever a problem) but, sadly, this wasn’t encrypted, nor was authentication required to access Sxipper once your computer was up and running (i.e., authenticate to the OS and you could run Sxipper). Sxipper was officially killed early this year.
Even before that, though, I’d switched to using Chipdrive MyKey from SCM (now Identiv). Besides encrypting the archive file, it uses a USB stick which makes the service portable among all of your USB-enabled devices. It doesn’t, unfortunately, create passwords so I do need to be disciplined about that.
But Sxipper and MyKey are, essentially, single user solutions. What is the enterprise to do?
Some would suggest enterprise simplified signon (ESSO) is the answer, but most of those allow the user to choose their own passwords and simply, passively, deliver them up as needed. That doesn’t allow for enforcing of a strong, non-reusable, frequently changed password policy.
Instead, my suggestion is to adapt one of the Privileged Account Management (PAM) tools to the entire enterprise. There are plenty to choose from, offered by vendors such as: BeyondTrust, Cyber-Ark, Quest Software, Thycotic Software, Apere, Avecto, Xceedium, Fox Technologies, i-Sprint Innovations, Lieberman Software and Siber Systems. Some of these are stronger than others, and prices vary accordingly. None is right for everybody, so investigate to discover which is right for you.
To take one example, though, let’s look at Cyber-Ark’s Enterprise Password Vault (EPV). Not only will EPV securely store passwords, but it will also generate strong passwords and change them regularly – up to doing so after every use! It will, of course, also audit and report on the use of those passwords. The icing on the cake is that you can by-pass username/password for accessing EVP - RSA SecurID, Web SSO, RADIUS, PKI and smartcards are all configurable methods for connecting to the vault.
Sad to say, passwords are not going to go away anytime soon. Users, and developers, won’t let them. But at least we can insure that the strongest passwords are used, without the chance for compromise by the very users they’re meant to protect.
That’s my Christmas present to you, insure a prosperous New Year by creating (or modifying) your password policy and finding the best way to enforce it. Happy Holidays!