Back in the dark ages of the Internet as we know it -- before we had so many malware threats and Web application vulnerabilities -- strong passwords were the security solution. This was especially true in Windows after it was discovered just how easy it was to capture and crack LANMan passwords in NT. Even today, it seems that practically everyone (both inside and outside IT) has their own opinion on what it takes to create and enforce secure passwords. The consensus is that if we use uppercase, lowercase, numbers and special characters at least seven to eight characters in length, then our passwords are magically unbreakable.
It's simply not true.
Every year, I test a fairly large number of standalone Windows workstations, servers and domains for password vulnerabilities. Network managers occasionally tell me they know everyone has weak passwords, but most are completely unaware just how widespread the problem is. Based on what I've seen, most passwords that supposedly meet the "generally accepted" requirements can be guessed with some basic trial and error -- a nominal effort that can lead to high payoffs for the bad guys with little chance that they'll get caught.
There are some legitimate password challenges that network managers struggle with. Many of these end up being serious security vulnerabilities that lead to risks most organizations aren't prepared to handle. The following are some common password management misconceptions along with an idea or two on hardening Windows security.
Myth #1: Assigning all users passwords will help keep their workstations secure.
Big mistake. Responsibility and accountability must be placed in the user's control. Otherwise, what incentive do they have to do better? Notice I didn't say that password policy enforcement should be placed in their hands. That's a different issue. Security decisions never should be placed in the hands of users. Rather, enforce strong passwords via written policy, GPOs or another password management system, and ongoing auditing. Also, what happens when a rogue or ex-network administrator abuses an innocent user's account? There's hardly an audit trail that can fix this.
Myth #2: Having tight physical security will make systems safe against sniffers and password crackers.
What happens when authentication for internal Citrix NFuse Web interfaces, Web applications and other systems are tied into Windows domain accounts? The password problem that was once just an internal issue is now opened up to the world. This is a big, big problem that's affecting more and more systems.
Myth #3: Upper management can't force users to remember complex passwords, so it will just accept anything bad that may or may not occur.
What I'm finding is that most upper managers and executives don't really understand the gravity of the problem. They think all users can be trusted, that no one shares their passwords, and that there's really not much to lose when a standard user account is compromised.
Here's a trick to shed some light on the issue: Simply log in with basic user rights, and see what you can see on network servers and workstation shares. Perform basic text searches, and look for words such as "ssn," "credit card," "dob" and other things that users have been granted access. Your findings are sure to make even the biggest nonbelievers realize there's a security problem -- especially when combined with the technical vulnerability I mentioned in the point above.
Myth #4: Requiring users to change passwords often will keep Windows secure.
Again, this is another major misconception. What's the natural human tendency when we can't keep up with new passwords -- especially multiple passwords that must be changed every 30, 60 or 90 days? We write them down. This is a real tough one to prevent if users are forced to jump through unrealistic hoops in the name of security. The solution here is to create strong but easily remembered passwords (or better yet passphrases). And if they're never shared or suspected to have been compromised, why change them often if ever? The latter is what I always recommend.
As long as we're forced to use passwords for our computing needs, I think passphrases are the only realistic solution. Build on the upper/lower/numerical/special character idea, but create passphrases that are long, impossible to crack and memorable. Once you explain it in simple terms and give good examples like "Man, I LOVE hard rock music!" your users' and executives' eyes will light up. It's virtually guaranteed.
About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
More information from SearchWindowsSecurity.com