Last Updated: 2007-10-10 16:26:53 UTC
by Lenny Zeltser (Version: 1)
In the spirit of October being the Cyber Security Awareness Month, we have been sharing tips for educating end-users on important security issues. Today's topic is the practices we can discuss with end-users regarding authentication mechanisms.
When it comes to authentication from the perspective of end-users, passwords are usually the primary area of concern. How to select them? How to use them? How to store them? I like the tips that Microsoft published, and recommend reviewing them. Here are a few additional pointers.
Selecting a Good Password
Make sure the end-users recognize how good the attackers are at guessing passwords for remote access if the passwords use common words or patterns, password, iloveyou, 123abc, and so on. If the user is asked to select a secret word or phrase for password recovery, that question or answer should be difficult to guess as well; an attacker will not take long to figure out an answer to the question "What's my favorite season?" (We touched upon this in an earlier diary.)
My favorite mechanism for selecting passwords that are difficult to guess, but are easy to remember involve picking a sentence that is familiar to me, and using parts of the words from that sentence as my password. It helps to add complexity to the resulting word or phrase by mixing capitalization and adding punctuation.
Also: Long passwords are good for security, but they are a pain to type. Offer your end-users some guidance for how long is long enough. The consensus seems to be that a password shorter than 8 characters is not advisable.
Educate your end-users about the dangers of using logon credentials carelessly. The biggest challenges are logging into services without an encrypted channel (e.g., no HTTPS; only HTTP) and not knowing the authenticity of the system that's asking for the credentials (e.g., lack of valid a SSL certificate and the issues exploited by phishers). Offer concrete tips for establishing when it is "safe" to logon to the system or a website, and when it is not. For example, it's not safe to type a password for accessing a sensitive website when:
- You are surrounded by people who may be looking over your shoulder.
- The website's SSL certificate does not validate properly (this one is tough to explain to non-techies)
- There is no "https" in front of the website's address
- You are uncertain whether the system from which you're logging on is trustworthy
Educate the end-users about the importance of periodically changing passwords, and about not reusing passwords across different types of systems. For instance, the user should not use the same password for a personal webmail account as for the corporate domain account.
Finally, explain why it is a bad idea to share logon credentials with other users. This violates the accountability principle that is at the heart of many security and anti-fraud initiatives. It may also make the person sharing the credentials responsible for the misdeeds of another person.
The biggest question is whether it's OK to write down the passwords. Writing them on a post-it note and pasting the note to the monitor or the bottom of the keyboard is a big no-no. (Thanks, Leandro, for pointing this out to us.) But how about placing the note into the wallet? Bruce Schneier blogged on this a couple of years ago:
"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."
I am concerned that wallets are a target of theft, particularly in crowded urban environments. I recommend using a password storage program, such as KeePass. KeePass is available for multiple operating systems, and even runs on mobile devices, so the users can keep the passwords with them at all times while having them protected with a single (and carefully-chosen) master password. Forcing people not to write or type down their passwords is asking for trouble, considering the number of passwords the end-users need to track.
Do you have tips to share regarding authentication mechanisms for end-users? Drop us a note.
Security Consulting - SAVVIS, Inc.