Friday, November 13, 2009

Password Guessing - Easy to Do (Miaoulis Writes)

Passwords can be the weak link in information security.   Many organizations believe that somone guessing would only get three, four or five attempts to guess a password because the system would lock them out. In most cases, this is a FALSE statement. Password guessing can be easy and effective in hacking into a system. There are safeguards and control that organizations can implement to reduce risks. Audit Trail for failed login attempts is one area many organizations do not review frequently enough or take as seriously as they should.

To help folks understand why it is important to review failed login attempts, it is important that organizations understand how a manual hacking attempt can be hatched. Instead of guessing the password of an individual, they will take a phone list, email directory, etc. and using the organizations standard naming convention and then use the SAME password against all accounts. Assuming first initial, last name as a login (Wmiaoulis)a password guessing process can occur something like this. Lets assume we were are in Dallas, the password we will use is Cowboys#1. (local sport teams are favorite passwords of users)

wmiaoulis --- PSWD Cowboys#1
fflintstone --- PSWD Cowboys#1
BRubble --- PSWD Cowboys#1
JNewtron --- PSWD Cowboys#1
SSquarep --- PSWD Cowboys#1

Under this technique, someone guessing passwords could continue for sometime. Using this technique, I have obtained up to 15 passwords in less than two hours.

So what should organizations do? A few things can help to strengthen the inherent weaknesses of passwords.
  • Reviewed failed password attempts by using audit trail, alarms which alert personnel when a threshold is hit (5 from the same terminal) would be a way to reduce risks in this area.
  • Run hacking programs against yourself to identify individuals with weak passwords, coach them on how to select good passwords.
  • Install stronger authentication mechanisms (onetime passwords, tokens, cards, three factor authentication). This is especially important for access outside your facility (Remote Access).
  • Train users on selecting strong passwords (techniques for doing this will be provided in a post next week).
  • Modify the standard sign-on naming convention to something like "wmiaoulis3k" instead of "wmiaoulis" will also limit the ability of organizations to hack. For accounts with special privileges, this is recommended.
Understanding how passwords can be the weak link, organizations should take steps to address this important risk.   Please contact me with questions or comments.   Is your organization taking additional actions to reduce risks?  Share it by posting a comment.

No comments: