An Information Security Place

I posted a few days ago about the password length vs complexity vs. multi-factor authentication debate.  One of the assertions I made was that it is essential to tie in SSO with multi-factor authentication.  Now, I did not assert in my post that SSO makes multi-factor authentication more secure as Chris Hoff says I did in his post.  However, that was a point I wanted to make, so I am not quite sure why I didn’t do it.  So, without further hesitation, I now officially contend that it does make a system more secure in many ways.  SO, let’s look at them:

1. Lowered password complexity when coupled with one or more other factors actually makes for stronger security.  Chris, rightly so, blames many of our security woes on users.  But I believe that the user is less likely, not more likely, to write down a PIN number so he / she can remember it than if they had to remember a strong, complex password (even if they use passphrases).  Yes, I see some users writing their PIN on their RFID card, just like their ATM cards.  But you know, many of those lessons have been learned out there already because ATM security has been beaten into people over the years.  Approach it as being very similar to ATM’s, and a light comes on immediately.  Believe me, I have seen the look of comprehension on quite a number of user faces as I explained a card and PIN in this manner.  I actually think this is the least worrisome of the issues.

2. Most SSO vendors allow for scripting of password changes.  This allows the system to change a password automatically, and (if the system supports it) it can replace the password with a complex AND long password that is not crackable in today’s world and that the user has no knowledge of. 

3. Number 2 also lowers the social-engineering vulnerability from the user’s side because I can’t impersonate Joe Admin and ask for your password.

4. With a properly implemented SSO solution, you have a lessened need for password resets, which lowers you vulnerability to social-engineering from the admin side (someone impersonating a user).

5. In looking at the good ol’ CIA triad, availability is one of the points of the triangle.  Many people forget about this point and just secure the crap out of the network while forgetting that the resources need to be available.  Making the authentication process more difficult is not complete security.  A SSO coupled with multi-factor can make the login process easier while also creating a good layer in your DID infrastructure.

Speaking of DID, Chris makes the point that the SSO structure adds another attack surface.  Well, if it’s worth can be shown as a valid security layer (as I hope I have done to some degree above), then it simply adds another attack surface just like every other layer adds surface or platform for launching attacks.  Your firewall can be used to attack you if it is compromised.  So can your IDS / IPS and other security layers.  Your SSO vendor, just like any other, has to prove that they are making a secure product so it can’t be easily compromised.  They have to protect the keys that are inside the SSO vault.  But when you consider that many of the major security vendors like RSA, Citrix  (yes, they are good at security), CA, Novell, etc. are pushing their SSO solution, I think you have many valid choices.

As to mutual authentication, I am totally and completely in agreement that this is where we need to go.  But how many security vendors are pushing this as a mainstream solution today for SMB’s?  I can sense the swing, but I have to make sure my advice is attainable now, not 5 years in the future.  And I think if you want to mitigate the risks of passwords, the SSO coupled with multi-factor authentication is a valid choice TODAY.

Vet

I recently posted about password length vs. complexity vs. two-factor authentication.  But passwords will be around for quite a while, so what are some of the things security professionals can do to keep passwords up to snuff?  One of the ways is obviously to enforce password length and complexity, but politics don’t always let that happen.  So many security shops simply have to set policy and and then try to enforce it as best they can.  But how do you do that?  Two words: password cracker.  Once you crack the passwords and determine the ones out of policy, then you go smack the user upside the head with the rolled-up policy, then make ‘em change the password.

Now here is where I get lazy and point you to this site that lists some of the best crackers and hash grabbers out there.  But I will say that two of my favorites for a Windows environment (which is what most security admins are supporting) are Lophtcrack and Cain and Abel.  Cain and Abel is free.  LophtCrack was put out by @Stake, but they have since been bought by Symantec and it has been discontinued, so you can’t buy it.  However, the site above has some ways of getting access to it.

A couple of disclaimers: I do not condone piracy (AARRGGHH!!!), and only use your powers for good.  Ok then…

As said above, password cracking is a valuable tool for enforcing policies when politics won’t actually let you set the rules for enforcement.  And besides, it’s fun!  You never know what some of those passwords are going to be.

By the way, this security tip is part of a series that Michael at mcwresearch.com and I (and possibly some other bloggers) are trying out this week to see if it catches on.  Michael’s latest tip is here.  [Update: Alan Shimel is joining in on this at his blog.)

Vet

Roger Grimes has an article at InfoWorld about the size of passwords versus the complexity.  I agree with Roger’s assertion that password length is the better than complexity.  I have been told by many a security consultant to make the third character a special character, or make the fifth character uppercase, blah blah blah.  This just does not work.  I crack passwords as part of my security manager duties, and length has always trumped complexity.

The main reason is because of the good ol’ human factor, and Roger points out some of the issues below:

• People typically stick with a few characters, even if you try to force complexity.
• People are predictable, so dictionary attacks can be written based on known patterns
• Handing out complex passwords will piss people off and make them write the passwords down.

So what to do, what to do?  Well, make the passwords longer.  Enforce length, then tell people to simply use a sentence of over 10 characters.  It could be “Bob is a big fat loser” (no, I don’t know who Bob is – maybe that damn AccountTemps guy), or it could be “I got my nails done on Tuesday”.  Anything like that gives you what you need.  Dictionary attacks are not going to work against that, and the sheer length makes brute force impossible.

Of course, I would like to get rid of ‘em all together, or at least get rid of passwords as they are today.  They are a nuisance, plain and simple.  Multi-factor authentication is one answer.  I know it is susceptible to man-in-middle attacks, but how many networks are going to have this problem if other security measures are in place (dang defense-in-depth keeps coming back up every time I turn a corner!).  I tend to favor the passive RFID card / PIN number combination over the active RIFD, smart card, or token / pin combo.  It is simpler than the token (even though it seems really simple, users get so hung up on combining a six-digit number with a four-digit PIN – don’t ask me why), and it is more secure than the smart card of the active RFID (very limited range compared to the active RFID and typically contains no identifiable info compared to the smart card).

One limitation to RFID cards is remote users, but readers are getting more and more common in laptops.  Or you can implement a smaller token-based system for those users, though administration may turn into a headache.

But here’s s caveat, no matter which way you go: you really need a single-signon solution backing up a multi-factor authentication implementation.  This scenario seems to make a lot of sense for a few reasons:

• It eases the administrative burdens for the IT department because, if implemented correctly, your password reset burden should go down to almost nil
• It eases (possibly almost eliminates) password complaints and written down passwords
• It has the bonus of actually easing the login process to the network and the applications

I know it is not the end-all-be-all, but multi-factor authentication is definitely a strong layer in your defenses.  Think about it.

Vet