Saturday, March 17, 2012

The why's of passwords

 WHY is a very important concept. Skilled social engineers know this, and will always give their target a plausible reason they need to do what they are doing, but companies rarely talk about the why of security. They will have policies like this:
  1. All passwords must be a minimum of 8 characters, with at least 1 number, and 1 special character
  2. All passwords must be changed every 90 days.
  3. Passwords cannot be reused
  4. Do not use the names of friends, family, pets, children, grandchildren, or "grand-pets"
These are sensible rules, but in my experience, employees do not like these rules, so they end up with a series of passwords like this:

Muff!n1 Muff!n2 Muff!n3 . . . . 

I have had much more success with compliance with the security rules when I add this bit to the "rules sheet".

These password rules prevents others from gaining access to they system, and can also protect your own personal accounts.  If an attacker guesses your password from information you have posted on Facebook, they can gain access to ALL of your accounts, including on-line banking, email, and anything you have access to on the company network.
The more complex a password, the harder it is for someone to guess using brute force methods. Steve Gibson has created a calculator on how long it would take to crack a password at https://www.grc.com/haystack.htm. Try out a few passwords and see the difference adding numbers and punctuation has on the length of time it would take to break - especially when you add characters. Try to get the Massive Cracking Array Scenario over 30 minutes.
Once an attacker has a password, they will sometimes wait for a period of time just in case you get suspicious and start checking everything. Changing the password regularly combats this problem - a compromised password will not work very long.
Once I explain the WHY behind my password policies on the networks I manage, there is much less "flak" from employees about having to change their passwords on a regular basis. In fact, I often get asked if the same rules should apply to their other accounts. The rules become more personal.

WHY is such an important concept when it comes to convincing people to do something you want them to do  - even in marriage. Don't just say things like "stop getting your nails done every week for $100". Instead, say things like "If you can do your nails once a month instead, we would have $3600 to pay down our debts. Once the debts are paid off, we can go anywhere in the world we want on vacation every year." In most cases, when people aren't seeing your point of view it's because they don't see the WHY.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)