User Education Pays:

When the construction of a password is left to the mind of the user, they invariably will choose the path of least resistance when it comes time to recall that password. In mid-2001 researchers in Britain (at the bequest of the Internet domain name registry CentralNic) determined that there are four types of people when it comes to choosing passwords:

• Family-oriented users. These users select their own name, their nickname, or the names of their partners, children, or pets for the password. They represented nearly half of the study’s participants.
• Fan users. These users select the names of sport stars, cartoon characters, or pop icons. They represented nearly 1/3 of the participants.
• "Self-Obsessed" users. Selecting passwords like "sexy," "stud," and "goddess," these users represented 11 percent of the participants.
• "Cryptic" users. Your gold standard, these users selected strong passwords utilizing mixed case characters, numbers and punctuation. Unfortunately they only represented 9 percent of the participants.

The main reason people create weak passwords is because nobody ever explained to them how easy it is to craft strong passwords. Policies and Standards that require a combination of mixed-case characters, numbers, punctuation, and possibly control (non-printable) characters often confuse users. If they do "follow the rules," they often create a greater security risk by writing down their new "secure" password and storing it under their keyboards, mouse pads, or phones (if they hide it at all!).

It is important, therefore, to educate users about the password policy, related standards, and procedures, using language and examples they can easily relate to. Showing the user strong examples that are easily created and remembered is critical to the success of your password policy. Here’s an example that has proven successful at several companies:

First, have the user select a short phrase. It can be from a favorite song, movie, or book, anything they’ll remember. For an example, use "Choosing a strong password is Easy." Ask them to use only the first letter of each word in the phrase. In the example this yields "CaspiE." This is definitely not a dictionary word. Point out the use of different capitalization to provide emphasis in the phrase.

Second, have the user select a single-digit number. Suggest they use the last digit of the year they were born, or of their home phone number, or zip code.

Finally, have them select a non-alphanumeric character from the keyboard. It’s useful to display to them (in a presentation or employee manual) the characters you’re talking about. For ease, you might just show the characters that appear above the numbers on a standard keyboard.

Now show them how to put these together. One possible example is: Cas3piE#

Ensure that whatever examples you chose to show adhere to the policy, standards, and procedures that are in place. Avoid the exception during user education!

Ensure that you also educate employees about the procedure for resetting a password at this time as well. Most employees will still have concerns that they’ll forget the "Easy and Strong" passwords they’re forced to create every X months. You can help put their mind at ease by explaining that password resets are to be expected, and that someone (their help desk) will be available to assist them if and when necessary.

Your user training and new employee manual should also explain why strong passwords are important, and why the policy and standards are so specific. An often cited example on the web includes instructions in question and answer form, including (with others):

• What is a password, exactly?
• What is password security?
• Why is password security important?
• Why can’t I tell anyone my password?
• Why can’t I write down my password?
• How can I tell if my password can be guessed?

The first users you should educate are the help desk staff. They are typically responsible for two key activities that will serve as the best examples for users.

First is creation of initial passwords. When a new employee joins the company, their userID/password combination should NOT be "jsmith/jsmith," "jsmith/password," or "jsmith/jsmith1." It should be "jsmith/Cas3piE#" or some similarly strong combination that adheres to the policy, standards, and procedures.

Second is resetting of passwords. Again, resetting a password to "password," "today," or "userID" is not helpful to your goal of securing access.

A quick word about resetting passwords is appropriate here. During the SANS Security Essentials conference (Chicago) in November 2001, Eric Cole presented a great procedure to follow when resetting passwords. The help desk is contacted requesting a password change. Unless you work for a small company (or have help desk employees with lengthy tenure), chances are the employee answering the phone cannot absolutely identify the employee who has contacted them. Fortunately, most companies have a voice mail system, and most of those require a password for access to saved messages. The help desk can utilize this system to allow employees easy access to changing their password, while keeping changed passwords reasonably secure. Imagine overhearing part of a "change my password" conversation:

Forgetful User: Please change my password, as I’ve forgotten it and can’t get in to do my important work.

Help Desk Employee: Okay, Mr. Smith. I can do that for you. What I will do is change your password, and then call you back. Please let your phone ring through to voice-mail. I will leave your new password on voice-mail for you.

Forgetful User: Can’t you just give it to me over the phone?

Help Desk Employee: I’m sorry, Mr. Smith, but company policy requires that I give you your password securely. The easiest way to do that is to leave your new password on your voice-mail. I can call your voice-mail immediately with the new password.

Obviously, you will need a help desk that can handle the occasionally irate customer. If you’ve done your education correctly, your users will already know the drill. The benefit to this procedure is that your "unidentified" user must know something that only the user should know, their voice-mail password. This works even if the employee is working from home, assuming (usually a safe assumption) that they can access voice-mail remotely. In the event someone unauthorized is requesting the change, the genuine user would receive unexpected voice-mail from the Help Desk and would (if educated to do so) alert them or your Security department to a problem.

There is no way to ensure that your policy, standards, or procedures are being followed if you don’t audit them periodically. The easiest way to audit the password policy and standards is to execute an automated program against the files in which passwords are stored. LC3 (previously l0phtcrack) is an easy (too easy) to use program that can perform this function for you on many operating systems. Executing it periodically can help you monitor adherence to "the rules." (See the Quick Legal Consideration before implementing this particular device!)

Another idea is to utilize a program such as Password Policy Enforcer (available from TP Information Systems Pty Ltd). This program checks new passwords when they’re created to ensure that they adhere to the policy and standards of a company. Messages are presented to users that craft non-compliant passwords that can help direct them to an acceptable selection. Software such as this may reduce calls to the help desk.

Auditing your procedures is equally, if not more, important. Create new users and review the default assigned passwords. Do they change with each user, or is the same "strong" password used every time?

Request a password reset. Better yet, have your CEO do so. Is the procedure being followed as documented? Does the new password adhere to the policy and standards?

If you’re using LC3 or similar software, audit the software audit procedure. Are two employees running the software together? Can they see the passwords as they are "cracked?" Do they have access to the software when audits are not being executed?

Having an excellent policy, high standards, and easy procedures are laudable goals. If they’re not being followed, however, you may as well change your own password to "password." Auditing both policy/standards AND procedures is the only way you can be confident that your goal of securing access is being reached. It is recommended that these audits take place regularly, and at least once a year an unscheduled audit should be performed.

During a discussion of the LC3 software at the November 5-10 SANS Security Essentials conference in Chicago, Eric Cole presented a scenario wherein he was an expert security witness for a company. The case was determined baseless, however, when the defense attorney asked the system administrator if he audited passwords. The system administrator did, using LC3 or a similar program, which showed the passwords as they were "hacked." The defense attorney then made the case that the company couldn’t prove his client perpetrated the offense because others within the company had access to the client’s password and could easily have used the client’s userID and password to commit the crime.

For this reason, it is recommended that you protect yourself and your company by clearly indicating through policy that at no time should passwords be shared. The policy should also indicate that when auditing occurs, passwords shall not be made visible. LC3 gives administrators the option to know whether or not a password was cracked without knowing the password itself. Documented procedures should support these policy statements in word, and regular audits of the procedures should demonstrate that the policy and standards are being followed.

Securing access through the use of passwords is a viable protection against both internal and external hackers, if done correctly. The keys to making it work are simple:

• Have a password policy, standards, and procedures in place that clearly define the expectations of users in creating a secure environment. Prepare for exceptions, they will occur.
• Educate users concerning the policy, standards, and procedures. Using straightforward language and good examples helps the users comply with "the rules" with minimal complaint. Remember, chances are no one has ever shown them how easy it can be!
• Utilize your help desk personnel as allies. Bring them into the process early because they’re going to get all the calls when users can’t comply with password policies and standards. They’re also responsible for adhering to key procedures.
• Perform regular and unscheduled audits to ensure that the policy, standards, AND procedures are being followed as outlined.

By following these steps, you will have secured access for your users, while securing access to the information critical to company operation. You’ll also sleep a little easier.