SOMETIMES NETWORK PASSWORDS ARE REAL OBVIOUS
"If you walk into somebody's cube and there are pictures of Tom Petty everywhere, their password is Tom Petty," says Dennis Goldberg, senior network analyst for Unitrin Data Systems. Some employees will put a sticky note inscribed with a password under their keyboard.
Discovering a person's password isn't always so easy. But a hacker with a little know-how could crack Unitrin Data Systems' corporate user passwords in no time. Goldberg learned this after running L0phtCrack, a basic hacker software tool available on the Internet. The program cracked 90 percent of Unitrin's 5,000 user passwords in less than two hours, from top executive to clerk accounts.
That kind of statistic makes CEOs nervous, and these days network security is on every IT pro's mind. Protecting a company's proprietary data is a primary job of IT departments, yet many companies still have vulnerable password systems. And managing a network password system can mean time-consuming and repetitive tasks for system administrators. Employees often forget their passwords, have trouble changing their passwords and are locked out of the network. System administrators must jump to solve password issues because users can't work at their stations until they're logged on. Employees are idle as they wait for IT help.
SOFTWARE REDUCES PASSWORD SUPPORT CALLS
To help him manage the password system, Goldberg turned to Avatier's Password Bouncer, which gives administrators more control over what passwords users can choose. Another Avatier product, Password Station.NET 2.0, allows employees to reset passwords themselves through a secure question and answer authentication process. American Color Graphics, which prints advertisements for Sunday newspapers across the country, went with Passport Station .NET because password problems became so bothersome.
Chicago-based Unitrin Data Systems, a Unitrin company, provides data services for property, casualty and life insurance companies. Unitrin Data Systems' 5,000 nationwide users are connected by one large wide area network. Most work with Windows NT 4.0 Professional, though some use Windows XP and Windows 2000 Professional. All belong to a single master user domain with the workstation accounts homed on multiple resource domains. This model makes the management of users and machines easier for field support staff.
NT provides basic password security. It can restrict passwords to minimum and maximum lengths and force users to change passwords every so many days. But that was not enough for Unitrin Data Systems.
Given few restrictions, employees typically choose simple and obvious passwords that are easy to crack, such as their first name, birthday, pet's name, child's name, name of their favorite rock star, and so on, Goldberg said.
Goldberg called Avatier President and CEO Nelson Cicchitto and told him what Unitrin Data Systems needed.
"I sat down with him and his developers," Goldberg said. "I listed a whole bunch of things our security guys said were essential."
Like the ability to create a custom blacklist to prevent users from choosing common words, for example, and the ability to block the same character or number from being used three times in a row. One of the first words Goldberg blacklisted was the company name, Unitrin.
Avatier's Password Bouncer is the result of Goldberg's request for a strong password security program. Unitrin Data Systems implemented the software a year ago; it took three minutes to install, Goldberg said.
Afterward, he ran L0phtCrack, and this time it took more than three days to break only 12 percent of user passwords. Hackers are similar to thieves working a hotel, he says.
"Most hackers will jiggle every doorknob," Goldberg said. "If it takes too long to jiggle every doorknob, they go on to another hotel."
One downside to Password Bouncer is its inability to tell users the password policy when passwords are rejected. But Avatier says the latest version does tell readers why their proposed passwords won't fly.
USERS CAN RESET PASSWORDS ON THEIR OWN
Jeff Bair, senior LAN administrator at American Color Graphics, was spending way too much time helping employees log on the network. Three quarters of the time users called him, it was because they forgot their password or tried and failed to enter the correct password so many times that the system locked them out.
American Color Graphics, owned by ACG Holdings, has nine printing plants in the United States and Canada, and they print newspaper advertisements and comics 24 hours a day, seven days a week. That means the 700 employees with log-on accounts paged Bair at all hours when they couldn't get in the network. Seventy percent of users are on Windows XP and 30 percent on Macintosh operating systems.
"I received several calls in middle of night that woke up me and my wife," Bair said. "I would get calls at 1, 2 in the morning. I can't be at a computer 24 hours a day."
Bair first saw Avatier's Passport Station.NET application in May at Tech Target's Windows Decisions conference. Password Station.NET 2.0 allows employees to reset their passwords themselves through a secure question-and-answer authentication process.
Back at the office, Bair downloaded a trial version, and shortly thereafter he implemented the software company-wide.
"I literally had it up and running in five minutes," Bair said. "The installation is almost foolproof."
Passport Station.NET has significantly reduced the time Bair spends helping users establish new passwords.
"I've got one accountant in particular who was frequently getting locked out," Bair said. "She works after-hours, and this software has saved her on more than one occasion."