Sunday, January 30, 2005

Putting passwords in their place

(This article appeared in Networked Comms Insight during 2003)

Network security is a difficult business, particularly desktop access. Like most regulation, it imposes a burden on the majority of users because of the risk from a few. Authentication of a user used to be a simple process but is nowadays somewhat fraught.

Take the whole genre of passwords, for example. Once upon a time, passwords were simplistic, obvious, easily remembered to those who needed to know them and basically just a way of keeping out casual users who could cause inadvertent damage.

A good example of this was the GEC SL-X system in the late 70s. To get into the software diagnostic area, the password was “S803”, which was an abbreviation for Section 803, the bit where the developers worked. Everyone who needed to know could readily remember it and the consequence of someone misusing it was not too important, other than possibly causing a system reload, something generally career limiting!

Nowadays, passwords are individual, tailored, have to follow arcane rules and are an absolute pain. It has to be memorable to you but not obvious. It shouldn’t include obvious dictionary words. It needs to be mixed case alphanumeric with as many obscure characters as possible. It can’t be something you have used in living memory of the system and the sodding thing will start pestering you to change it just when you have got used to the existing one. No doubt, in three months time, the memo will come round that we have to jump through even more hoops.

Why do we have to be so precise with making our passwords so complex? After all, the network only allows you three bites of the cherry before being consigned to lockout limbo and the subsequent password reset purgatory from the service desk.

The answer comes in the way passwords are encrypted within the domain controller and across the network. Whilst supposedly secure, they can be broken by brute force using widely available tools. Widely available, that is, to script kiddies as well as security managers. Whilst domain control can be on a secure server in a protected location, the local files on laptops that enable us to work offline are much more vulnerable, as are the packets flying round the network, particularly if Wireless is involved.

The need to have numerous shared passwords to get into a range of applications is less of an issue these days as more and more software falls in line with the authentication policy so the days of several post-it notes surrounding the screen are drawing to an end. However, we still have the need to identify ourselves to the network at logon and after every short pause where the screensaver kicks in. It is tiresome, tedious and costs big business a lot of wasted effort in managing the scheme.

So, what is the answer? There are possibilities of using biometrics, whether fingerprints, face recognition, voice recognition, retinal scans and measuring the dynamics of signature analysis. They all have their merits and their pitfalls. How soon before we have the first publicised cyber crime that involves physical mutilation in the style of Arnie Schwarzenegger?

The biggest problem with the current password regime recommendations is that if users can’t use memorable words, they will tend to make up gibberish based on easy to remember key sequences which can be observed and reproduced. This is particularly prevalent for cash card crime, where a user is observed, distracted and then the card palmed to be used five minutes later down the road.

Assuming that the mechanism for cracking password files is a losing battle then the need for avoiding memorable words is probably bogus as they will all be cracked with negligible time differential. It isn’t bogus if the words are guessable, however! What we need to do is have individually memorable words but varying key entry. The banking industry have something called scrambler locks- a 6 digit pin code to open the door from the banking hall to the secure area, but the keypad randomly scrambles the numerals and they are only viewable close up from a very narrow viewing angle (indeed the last one I saw and used up close used decadic counter (Nixie) tubes that I hadn’t seen in instrumentation since the days before LED displays). I can see that scrambler keyboards would make a lot of sense on cash point machines, as well as on the arrival of PIN & CHIP point of sale terminals for credit cards that we have seen in France for nearly a decade.

Back to our Corporate laptops, where scrambler keyboards are not likely to appear. What would be a better way of securing them, or better still, unsecuring them when we (and only we) want access?

Well, my most recent ID card contains an RFID chip, the big brother device that the civil liberty and tin foil hat brigade warn us will be used to track our every waking moment when all of our possessions are chipped and the Home Secretary has insisted that we get one implanted in order to qualify for anything other than emergency tax code.

Despite the 1984 connotations, the card is a boon- I don’t have to swipe it or fiddle about with PIN codes, doors and barriers unlock in my presence. I still have to do a bit of vague genuflection in the direction of the sensors but future products will no doubt have a bigger sensor catchment zone and it will simply be a case of walking through portals.

This RFID chip lives around my neck every waking corporate moment upon pain of disciplinary action. Provided I don’t lose it, it is considered secure enough to get me everywhere I am entitled to, with additional PIN code access for particularly sensitive areas. If my laptop could sense the presence of the ID card then that would solve a big problem straight away- if I am there the PC unlocks and if I go for a coffee the portcullis slams down and the drawbridge goes up.

The trouble is that the RFID chip is passive, it simply spits out a stream of data when requested and that request could be from a hostile source. Active RFID chips exist- you probably have one on your key ring to unlock the car. The downside is that they currently need batteries.

So what will the future hold? I see terminal devices including a Web cam as a matter of course so a combination of RFID, face recognition and the occasional challenge for particularly sensitive stuff as smoothing the process. What it will muck up though, is the common-or-garden business presentation- there will need to be a PowerPoint mode where it trusts you for a bit standing at the front of the room waving your arms about!

What do we do now in the meantime? Bruce Schnier is a well-respected security guru who writes a monthly e-newsletter that is well worth subscribing to (see http://www.counterpane.com/crypto-gram.html). He does a good job of debunking the FUD that vendors come up with and has made himself very unpopular with the U.S. Government by pointing out the fallacies in the draconian homeland security legislation rushed into place after the World Trade Center atrocity.

(Every time I see it called 9-11 I think “November 9th?” I’m happy to call it Center instead of Centre though, in the same was as I’m happy to pronounce Paris as Paree the way the French do, after all, it isn’t cement).

By the way, I’m a generalist, specialism is for insects. However, I spend enough time asking the right people the right questions to know enough to not be dangerous, so to speak. (Well, most of the time!.)

Back to passwords, his advice for password management is classic KISS (Keep it simple stupid). Paraphrasing his and other suggestions, I adopt the following:-

Create an easy to remember username and low level password that you use for all of the unimportant stuff across the web. Sometimes you may have to tweak it slightly due to bizarre rules, but that’s life.

For the important stuff like banking, spending money, sensitive details, don’t try to memorise them any more. Instead, make them long and complex, write them down and keep them in your wallet. Treat them like a credit card- important and remedial action needed if lost or stolen.

As for the corporate workstation? Do the latter, but you will have to remember it if you don’t want to look in your purse or wallet 20 times a day. Roll on the future!

No comments: