Security Benefits Of Passwords Information Technology Essay
In a world where information security is a growing concern, the need for user access control is vital to any organization. Authentication is the process that verifies a user’s identity and allows appropriate access (Renaud & De Angeli, 135). Authentication can take place by using what a user knows, what a user has, or what a user is. Verifying a user by what they have includes the use of a physical device such as keycards or smartcards. The problem with these is that they can be easily stolen or lost. What a user is means using a unique biometric feature to identify the user. This is the most sophisticated type of authentication but also the most invasive and costly. What a user knows is typically password authentication, which is the most common method of authentication. The use of one or more types of authentication strengthens the system and reduces the potential for unauthorized access (Hunton et al. 136). However, while the main purpose of authentication systems is to protect organizational assets, systems of authentication must balance security and usability to effectively achieve their goal. This balancing act involves making sure the authentication procedures are secure enough to protect the organization, but also usable enough so as to not inhibit productivity (Chiasson, 1). There have been a growing number of hacker attempts to access protected information, and these attacks have grown in sophistication. An organization must take steps to ensure the security of its password authentication system to avoid potential fraud and liability (Leon, 54). Organizations and individuals depend on passwords because they are most often the only obstacle between a malicious attacker and a target. Organizations can have entire systems compromised if one password falls into the hands of an attacker (Shay & Bertino, 1). The ongoing security of a password authentication system involves areas such as policies, storage, and types of passwords.
Security Benefits of Passwords
Knowledge-based authentication using passwords is the most widely-used method for verifying a user’s identity. Passwords are commonly used because they are one of the simplest, and therefore the least expensive, methods of authentication. With most passwords there is no need for users to have an extra hardware device, so there is no expense to the organization to purchase such a device. Physical hardware devices could be used by anyone who possesses them, so they are also more prone to being lost or stolen. Passwords systems also do not require extensive hardware or processing power to run. The authentication systems are easily integrated into an organizational infrastructure (Duncan, 1). Users are familiar with how to use passwords to gain access, and so these authentication systems typically do not require extensive training. Passwords can also be easily changed if one is compromised, unlike biometric information. Passwords can provide huge security benefits to organizations and individuals if implemented with proper policies and procedures.
Good passwords
Using passwords is a simple and effective way to protect personal or company information from being stolen or made public. However, if the password is not created properly, then the information is simply hidden and not very well protected. A bad password could offer the same amount of security as not having one, except to add a few minutes to a hacker’s time.
What makes a good password?
The longer and more complex a password is, the more secure it becomes. Having a password be a name of someone you know, a pet, a favorite place, or a favorite team are all very simple, and could be guessed or cracked easily (Microsoft). However, simply just having a long password is not even the most complex way to make one. For example, if your password were all numbers, then each time you added an additional number to the length of your password, it would increase the possibilities by ten. This may seem secure, as eight characters would create 100 million possible combinations. However, the simplest of computers could guess every possibility in a little more than a day. If more than one of these computers are used, or especially a brand new home desktop or supercomputer, the results would almost be instantaneous. The best way to have a password be complex is to incorporate all types of characters. This way means using not only letters, but a mixture of uppercase and lowercase letters, numbers, and symbols. An eight character password with all four types would increase the possibilities to 7.2 quadrillion possibilities. The amount of time it would take to crack this sort of password would increase to over 20,000 years for a simple computer, or 82 days for a super computer (Lucas, 2009). A business would clearly want to implement this type of secure password guidelines to protect its information.
How to make good passwords reasonable
There is a tradeoff between having a secure password and an easy password (Beyond Par Consulting). Having complicated passwords might cause some forgetful users to write their password down in order to remember it. Doing so defeats the purpose of having a secure password in the first place if an unauthorized user who wants to access the network were in close proximity to the password, such as an employee in an adjacent office. Another issue with forgetting more complicated passwords is that one has to use the time and resources of the IT staff to help reset or recover the password. Users need a system or method of remembering their passwords without needing to write them down and compromise the organization’s assets.
An easy way to help users remember their passwords is to have a coding-type system. For example, have the user pick a phrase that is easy to remember. Once the users have their 6-10 word phrase, they can use only the letter at the beginning or the end of each word (being consistent). The password will be harder to crack since the letters will most likely not make a word, however the user will have used a phrase they know, making it easy to remember. The next step is to change the capitalization of a few letters and to add numbers anywhere to the password. The password would be complete with symbols (Microsoft). Once the password is complete, the phrase that was used could be written down, adding some security with some sort of simplicity (Breaking Par Consulting). This type of password could still be cracked, but the amount of resources it would take to crack the password could possibly outweigh the benefits of the stolen data. Even if a coding system like this one were too impractical, having users simply change the capitalization of certain letters in their passwords, and adding a number will increase the security of passwords and help prevent cracking (Practically Networked).
Corporate Password Policies
While it is important to understand the characteristics of a password and what makes it strong, it is also important to understand how the degree of password strength and policies regarding password safety are implemented in the business world. Corporate policies are the modes by which companies train their employees in password management, and these policies can vary greatly between corporate cultures and industries. Policies aim to outline companies’ expectations of their employees, and controls regarding those policies can be implemented in many ways. This section will cover many of the requirements companies put on password creation and management, as well as provide examples of implementation strategies and corporate policies used today.
First, understand the expectations placed on companies between industries. To put this concept into perspective, imagine the difference in security policies used by a defense contractor who handles confidential information and someone running a “mom and pop” store that sells leather saddles and candy. Obviously, you would expect the defense contractor to have tighter security and protection surrounding its information. These same security precautions carry over into the creation, implementation, and management of password policies as well. To illustrate, a Goldman Sachs employee is required to change his or her password once a month, and also include in the password uppercase and lowercase alpha keys, at least one number, one special character, and a minimum of 8 characters in length; whereas a library policy found online required only 6 characters in length with any combination of letters, symbols, and numbers (Marshall, Ben; CNSSL, Sample Password Policy).
Creation
With security expectations in mind, a company then begins to build its policy. Sample policies that are available to anyone for free can be found through organizations like the SANS Institute. These sample policies illustrate how a policy contains sections for the overview, purpose, and scope of the policy, as well as the actual standards and guidelines applicable to employees (SANS). Companies may use outlines like these samples in helping them to script or adjust their policies to make them more applicable to their company and industry. This section will preview three common practices commonly used by companies in their password policies.
Periodical Password Changes: corporate policies often outline requirements for employees to change their passwords on a periodic basis. This requirement is a common standard among policies today, as it limits the likelihood that the employee can use the same password for other applications or has given an unauthorized user the means to enter the system for an extended period of time. There can also be different time requirements for changes between passwords; for example, a company may require its employees to change their system-level passwords twice a year while only requiring the user-level password once a year. A policy like this one would emphasize the level of security placed on the server-level password over the user-level one. Obviously, the length of time between required changes can vary greatly between companies based on the level of security they expect to maintain. Some companies even require their employees to change their passwords as often as once a month (Marshall, Ben)!
Password Contents: as discussed above, using different characters is a common tactic recommended in every password policy that places greater security on the construction of passwords. Different characters often required in many policies include: lowercase characters, uppercase characters, numbers, punctuation and “special” characters such as symbols.
Password Protection: policies can cover protection issues from how passwords are to be stored through complex encryption processes, to how employees are to protect their passwords by not writing them on their computer screen. In fact, a common corporate policy is that employees are not to write their password anywhere. Companies often store user names and passwords in a secure place for employees should they forget them. Storing these passwords is an effort to deter users from making their password available anywhere.
Implementation
When implementing a password policy, managers must anticipate how the employees will react to the guidelines. Will they think the new policy is an unnecessary nuisance? Will they think the policy is too vague or too restrictive? In explaining the policy, employers must be certain that employees understand the repercussions for breaking the policy, which can vary between companies. For example, when dealing with classified information, negligence in upholding password policies is a criminal offense. However, this “scare tactic” of trying to enforce a policy may not be as effective as alternative methods. Instead, some managers believe that it is more helpful to stress the importance of password security, not the implications of breaking policy rules (Wikipedia).
Even with the policy in place and training completed, it is still very difficult to gauge whether users are following the policies set forth, as many of them can be difficult to detect, such as not writing passwords on post-it notes. Therefore, companies must recognize the importance of training employees in their security policies to the same degree they train employees in other safety and HR policies at the beginning of, and often throughout, the employees’ careers (Password Policy, Wikipedia). The importance of this training cannot be stressed enough, as it concerns the security of an organization. For example, the required minimum password strength can be as high as is practicable, but any effort will be fruitless if an employee tells someone else the password, or perhaps sends it unencrypted over an email. Therefore, the implementation and enforcement of policies are crucial to keeping company and employee information safe.
Maintenance of passwords
An issue that companies run into when implementing strict password policies, like requiring complex or assigned passwords that are difficult to remember, is that people often write them down on things like post-it notes or somewhere near their computer. In an effort to prevent employees from writing their passwords down, companies have also provided physically- and logically-secure places, like a fire-safe or encrypted file only available to root users, where employee passwords are stored (CNSSL, Sample Password Policy; Password Policy, Wikipedia).
These “safe-houses” for passwords, as discussed above, can come in many forms. The first example of using a fire-safe to store employee and company passwords is somewhat outdated in common practice. Instead, companies turn to password tables, teeming with encryption options, to safely store passwords and keep data safe (Leon, 55). Password tables basically store user names and passwords and match them to the values entered by users attempting to enter the system (Leon, 55). While in this database, administrators need to ensure that the user data is stored securely, using hashing methods to protect from unauthorized use. “Basic hash encryption” is an approach to hashing where information is coded using a formula that encodes the user data into a value that is unusable to anyone who views it (Leon, 55). However, basic hashing often does not give enough security to protect against knowledgeable hackers. Nowadays, hackers employ such tools as “rainbow tables” to try and match encrypted data to pre-made hashes of nearly every possible password (Gates, Chris). To protect this information even further, companies may utilize “salt hashing,” which attaches a “random array of characters” to a user’s password before implementing the basic hash encryption (Leon, 55); this form of encryption is exponentially more difficult for a hacker to crack, and will often deter him/her from even trying to gain entrance into the system.
Sometimes, varying strength levels of passwords may be applied to different security levels of information as well. For example, pass codes to firm-wide resources like the kitchen may be the same password for everyone and may be very short, whereas entry to a research lab might require a more unique and complex code. This example is a very simple one, but it illustrates how a company may use a universal password to prevent employees from using one password for everything. It also illustrates how not all areas requires authentication need to have the same level of security.
Finally, having a strong password and strong security governing the storage of passwords, does not ensure complete security. The final level of password security rests with users. There are a multitude of threats to even the most secure passwords, and thus it is important that organizations create and train their employees in the necessary policies to prevent threats from causing damage.
Cracks
The idea of a password is to prevent unauthorized users from accessing a secure area. So how do unauthorized users still manage to get access? One way is to simply “crack” the authorized user’s password, allowing the assailant to access the system as though he or she were the authorized user in the first place. There are a number of password-cracking programs that use a number of different cracking methods. Two fairly-related ways to crack a password are the brute force method and the dictionary attack method.
Brute force method
The brute force method is the simplest of all cracking methods, which means that it also takes the longest to achieve its goal. If an unauthorized user attempts to discover another user’s password through brute force, he or she will use a program to guess the password using every possible combination of characters available. For example, if the password policy requires all passwords to be 6 characters long and solely composed of numbers, then there would be 10^6 possible combinations of passwords. The cracker’s program would use every single combination in that pool of possible combinations until it gained access to the system. The Cain and Abel password-cracking program found at Oxid.it, and used in our demonstration, can be used to perform a brute force attack. (Oxid.it)
As the complexity of a password increases, the number of possible combinations also increases. Thus, the best way to prevent a brute force method from succeeding is to simply make a password more complex. For instance, instead of requiring a password to be composed solely of numbers, it could be required to have a mixture of letters and numbers. This solution would increase the number of possible combinations to 36^6, assuming the password length stayed the same. The more complexity that is added to a password, the longer it will take for the cracker to gain access.
Dictionary attack method
Similar to the brute force method is the dictionary attack method. Essentially, it is the same as the brute force method, but tweaked so as to cut down on time. Performing a dictionary attack on a system is exactly what it sounds like: attacking a system through the use of a dictionary, or rather the words found in a dictionary. A dictionary attack attempts to guess a user’s password by trying thousands of common words that are likely to be found in a typical dictionary. According to Imperva, approximately “50% of users used names, slang words, dictionary words or trivial passwords” to protect their most private information (Imperva). Thus, someone using a fairly-comprehensive dictionary — one that contains slang, common names, and normal words found in a dictionary — as the sole list of passwords to guess, would have a very high chance of accessing most users’ data. Limiting the pool of possible guesses would greatly decrease the time expected to successfully crack another user’s password.
Defenses against a dictionary attack would be the exact same as defenses against a brute force attack. Simply adjusting the password so that it is not an easily-recognized phrase exponentially increases the estimated time to crack it.
Software and hardware
While password-cracking is a simple way to steal someone’s password, installing software or hardware on the target’s device is a much easier way to get their information. Keystroke loggers and packet sniffers are two very powerful tools that someone can use.
Keystroke loggers
Keystroke loggers are programs and devices that record the exact sequence of keys a user performs. They can be software that is installed on a user’s device (either intentionally by the hacker or unwittingly by the target, via Trojan horse malware). While one might think that installing hardware on a target’s computer would be easily discovered, a hardware keystroke logger is attached to the back of a computer, where it is less likely to be seen (Keyghost). Other, more sophisticated hardware keystroke loggers can actually be installed directly into the keyboard, so the only way to find them would require a user to actively search for one.
Either way, the keystroke logger records a user’s actions in a log file, and that file can be accessed on by anyone who knows where to find it. An unscrupulous person could browse through the log file and look for usernames and then see the characters selected afterwards, as these characters would most likely be the password.
Packet sniffers
Another method to steal a user’s password through either software or hardware is through the use of a packet sniffer. Packet sniffers record data that is being transferred across a network. Unless the data is encrypted, the user of a packet sniffer can see the data in plaintext, making it very easy to find the username and password. Even if the data is encrypted, however, there are still various ways for the user to decrypt or crack it, as outlined above.
Defending against these methods of attack is much more difficult than defending against a password-cracker. To prevent keystroke loggers and packet sniffers from being downloaded onto a user’s device, an organization should establish policies concerning what an employee can and cannot download. As far as hardware is concerned, physical security and policies will need to be instated to ensure that the only individual with access to an important device is the one with authorization.
Scams
One more way for criminals to steal users’ information is, of course, to scam the user. Scams have been around forever, and the rise of the Internet has only allowed them to become more sophisticated. Most people are aware of the Nigerian advance-fee fraud, where a potential victim receives an email indicating that he or she is being given an opportunity to help out somebody else in return for a multi-million dollar reward. All the person needs to do is provide bank account information. This sort of scam is common, and has evolved to become less immediately-recognizable as a scam. For example, emails today often “spoof” a known organization. This spoofing can be done by altering the email contents so that it looks official ([email protected], rather than [email protected], for instance). The targeted user may not realize that the email is fraudulent, and may unwittingly hand over personal account information.
According to Miller Smiles, “the web’s dedicated anti-phishing service,” institutions such as banks will never ask for personal information through email. If someone is unsure whether an email is fraudulent or not, Miller Smiles contains an archive of fraudulent emails that individuals can browse through to see if their emails have already been found to be fraudulent. In addition, before accepting these emails as genuine, the website also suggests forwarding the email to the actual institution it purports to be from, asking if it was sent from there. (Miller Smiles)
Alternative Types of Passwords
Many of the vulnerabilities found with static-text based passwords can be addressed without significant investment in new authentication systems. The use of graphical or one-time passwords have proven to be more secure and user friendly than traditional password authentication systems.
Graphical Passwords
Graphical passwords are based on the ability to recognize pictures instead of text. There are three categories of picture-password systems; searchmetric, locimetric, and drawmetric. Searchmeteric systems involve the user selecting a combination of images from a challenge set. When a user uses Locimetric systems they select a series of positions within one image. Drawmetric systems require the user to sketch out a distinctive pattern, and are similar to biometric authentication that uses signature or handwriting recognition. Typically, users are able to select their own images to aid in remembering the password. Graphical passwords are more secure and user friendly than regular passwords. Because images are more difficult to convey or write down then text and numbers, they are less susceptible to being compromised. Research has shown that humans are able to remember images more accurately and for a longer period of time than text, thus users are less likely to forget image passwords (Renaud & De Angeli, 136-139).
One-Time Passwords
One-time passwords also mitigate some of the security risks of regular passwords. With this type of authentication the password is different every time a user logs on to the system. With the time-synchronized and counter-synchronized method, the user must possess a physical device to obtain the one-time password. This device, often called a “token”, is connected to a server that uses a complex algorithm to create the passwords. This algorithm makes it difficult for hackers to guess the correct password (Griffin, 2). While the token eliminates the need for the user to remember a complicated password, it also adds cost and complexity to simple password authentication. A token has the potential to be misplaced or stolen from the user. The ability to have a token-less one-time password system has emerged with new software. These passwords are typically delivered after a user answers a set of questions and are set by an alternative secure means such as encrypted email or text message (Yudkin, 1).
Conclusion
Information security is essential for organizations and individuals to achieve their respective goals. Passwords are a very easy and practical way to secure informational assets and systems. There are alternative methods of security, but none of them are as easy to use as passwords. Passwords security systems are also the least expensive to implement of all the authentication methods. The commonality of passwords makes it vulnerable to a multitude of threats including password crackers, malicious software and scams. Thus, to ensure that passwords are not a useless security measure, proper password guidelines and policies are necessary.
Order Now