Guidelines for Username and Password Risk Management

Posted by: JurInnov | Posted on: February 1st, 2011 | 0 Comments

Eric Vanderburg

Usernames and passwords still represent a great information security risk to organizations. This basic but crucial element can nullify the effectiveness of some of the best systems. That is why it is important to keep usernames and passwords secure if you hope to have assurance in your information system. To help manage information security risks, this article outlines several common bad password practices and the risks they present along with steps to take to reduce this risk and protect company information. Some of the most prevalent mistakes users make regarding passwords include:

• Sharing passwords
• Using the same password for multiple accounts
• Creating insecure passwords
• Retaining passwords long-term

Sharing Passwords

The average person would never give someone their credit card number or the keys to their house but passwords seem to be given out freely. This practice can open a company to a myriad of serious information security risks, some of which include data loss, system unavailability, or malicious system use. In an information security survey of 2,500 people in the US, UK, and Australia, webroot found that 40% of users shared their password with one or more people in the past 12 months. It is frustrating that people are so willing to give out their password considering the regularity of identity theft and spamming.

In ancient times, a king had a signet ring that would be pressed into wax to certify imperial documents and decrees. History tells us of instances where the signet ring was given to another to act in the name of the king but these instances were rare. The signet ring was like an early version of our modern day passwords. Giving your password out allows someone else to masquerade as you, performing activities in your name. Those in antiquity knew how to safeguard their signet rings but we have yet to learn this lesson. When you give your password to another, you do not know how well they will protect it. Will they write it down and leave it lying about? It is impossible to know but either way your identity is left in the hands of someone else.

Using the Same Password for Multiple Accounts

Using the same password for multiple sites can lead to a compromised account on any of the sites. For example, if you use the same username and password on ebay and buystuff.com then your username and password for ebay is essentially stored in a database at buystuff.com. If there is a malicious individual at buystuff.com or if buystuff.com gets hacked, your ebay account could be compromised as well because malicious people will try to use the username and password combination they know at many common locations. This could lead to quite a few unauthorized bids and a big headache.

Even worse would be if you used the same password at work. A malicious individual could log into your work account by discovering your account name since many organizations use some form of your name as the account name, and then they would have access to everything you have at work. This is an information security risk organizations cannot afford to have.

This is a major problem that many people overlook. According to the webroot information security survey mentioned earlier, almost 40% of those surveyed use the same password for multiple web sites making this a clear risk, risk managers need to be aware of.

Creating Insecure Passwords

Brute force attacks, those that try millions of combinations until successful, work faster and faster. These attacks can utilize multiple dictionaries and commonly used substitutions to crack a password. For this reason, passwords need to be complex. Information security software like Elcomsoft’s distributed password recovery can try a billion passwords per second.

A recent information security survey found that 20% of users structure their password around personal information such as a birth date, name of a family member, or other publicly available information. Additionally, almost 50% of surveyed users still have simple passwords, i.e. those without special characters (%,$,&,*,@, etc.).

These passwords are easy to break. Organizations must have a password policy and automated enforcement controls to ensure that passwords used within the organization are reasonably complex and users should be trained on the importance of structuring a password that does not utilize personal information but is still memorable.

Retaining Passwords Long-term

We all make mistakes and at some point in time you might make some other mistake that exposes your password such as forgetting to shred a document with your password on it. It is important to change passwords regularly so that they have a limited lifespan. This reduces the risk associated with an exposed password in case the password has not been discovered yet.

The extreme of this method is one time use passwords. Information security devices such as tokens can generate a password each time it is needed for authentication and then that password is discarded. This method may not be appropriate for your environment but the practice of changing passwords regularly is something every company should do as part of their information security risk management program. Either way, passwords need to be changed often and organizations need to have information security policies and processes in place to minimize the risk of passwords that are in use long-term.

Summary

Insecure passwords and poorly crafted usernames are still major information security issues for individuals and companies. Many users do not utilize secure passwords, they share them with others, and they use the same password in multiple places. It is basic issues like these that undermine information security programs. Some of the most prevalent mistakes users make regarding passwords include: (1) Sharing passwords, (2) Using the same password for multiple accounts, (3) Creating insecure passwords, and (4) Retaining passwords long-term.

Part of the information security risk management process should be to create information security policies that define password requirements and account naming conventions. The next step is to educate users on good password practices.

For further reading

A graphical representation of popular usernames and passwords. 

Passwords: You’re doing it wrong

NIST SP 800-118 DRAFT Guide to Enterprise Password Management

Cracking one billion passwords per second with NVIDIA video cards

JurInnov, a Cleveland based firm, offers information security consulting services to give you more confidence in your information systems. Contact us today and bring your security to the next level.