To help folks understand why it is important to review failed login attempts, it is important that organizations understand how a manual hacking attempt can be hatched. Instead of guessing the password of an individual, they will take a phone list, email directory, etc. and using the organizations standard naming convention and then use the SAME password against all accounts. Assuming first initial, last name as a login (Wmiaoulis)a password guessing process can occur something like this. Lets assume we were are in Dallas, the password we will use is Cowboys#1. (local sport teams are favorite passwords of users)
wmiaoulis --- PSWD Cowboys#1
fflintstone --- PSWD Cowboys#1
BRubble --- PSWD Cowboys#1
JNewtron --- PSWD Cowboys#1
SSquarep --- PSWD Cowboys#1
Under this technique, someone guessing passwords could continue for sometime. Using this technique, I have obtained up to 15 passwords in less than two hours.
So what should organizations do? A few things can help to strengthen the inherent weaknesses of passwords.
- Reviewed failed password attempts by using audit trail, alarms which alert personnel when a threshold is hit (5 from the same terminal) would be a way to reduce risks in this area.
- Run hacking programs against yourself to identify individuals with weak passwords, coach them on how to select good passwords.
- Install stronger authentication mechanisms (onetime passwords, tokens, cards, three factor authentication). This is especially important for access outside your facility (Remote Access).
- Train users on selecting strong passwords (techniques for doing this will be provided in a post next week).
- Modify the standard sign-on naming convention to something like "wmiaoulis3k" instead of "wmiaoulis" will also limit the ability of organizations to hack. For accounts with special privileges, this is recommended.