[pic]

Password Security

And Other Effective Authentication Methods

[pic]

Table of Contents
Introduction 1

User Accounts 1

Account and Password Policy 2

Password Attacks 4

Authentication Methods and Password Management 5

Public Key Infrastructure 6

Single Sign-On (SSO) 6

One-Time Password (OTP) Tokens 7

Biometrics 7

Fingerprints 7

Face Scans 7

Retina Scans 7

Iris Scans 7

Palm Scans 8

Hand Geometry 8

Heart Patterns 8

Voice Pattern Recognition 8

Signature Dynamics 8

Keystroke Patterns 8

Password Managers 8

Conclusion 9

Bibliography 10

Introduction

Human beings are arguably the weakest link in computer and information security. People pose such a significant threat to their own computer networks and personal information simply because they don’t keep password security in the forefront of their mind. This is one of the reasons passwords are considered a poor security mechanism. Still, passwords are the most common method for user authentication on computer systems and websites. Passwords are so easily hacked and used to steal personal information such as bank account credentials, credit card numbers, etcetera, contributing to the significant growth of identity theft, most of which could be prevented by using strong passwords and not writing them down. End user education on more secure authentication methods such as strong password creations and two factor authentication can help to improve cyber security for all organizations.

User Accounts

One of the key tasks to administering a network is managing user accounts. User accounts have two main functions according to the Guide to Networking Essentials: 1. To provide a way for end users to authenticate to a network, and 2. To provide detailed information about the user on the network (Tomsho).
User accounts allow network administrators to control who has access to network resources by creating a username and password. End users log into the network and access network resources using the assigned username and password. If an end user attempts to access network resources with the incorrect username and password, they typically receive an access denied error message. Secure networks that use this method will typically lock an account after a specified number of unsuccessful log in attempts, usually three (3). This keeps the network resources secure from unauthorized users.

Account and Password Policy

Network administrators for large networks should develop a naming scheme for user accounts. This ensures that usernames use the same naming convention to keep things consistent. Many organizations use a combination of the user’s initials and part of their name. Other organizations use a combination of letters and numbers. Either way, the naming convention should be the same for all end users. Consideration should be made for whether or not a minimum and maximum number of characters in account names should be enforced. Network administrators should also determine how cryptic the username needs to be in order to maintain security. This will help determine if a combination of uppercase, lowercase, and special characters should be used.
Passwords should have the same considerations as the user name. However, they should be even more secure. To promote a secure network, according to Gregory Tomsho, administrators should set up a password policy that restricts or dictates certain password characteristics (Tomsho). Some common examples are: a minimum length for the password as longer passwords are harder to guess, a minimum and maximum age so that the same password isn’t used for extended periods of time, specific complexity requirements such as requiring a certain amount of character types like uppercase, lowercase, and special characters makes it hard to guess passwords even with software designed to guess passwords. Account lockouts should also be set up to restrict access to or disable a user’s account after a specified number of failed logons.
Often times, a network administrator creates a random password as the initial password for end users. The end user is typically required to change the password at first log on and can then set the password to whatever they want as long as it meets the complexity requirements. Networks should always require that end user passwords expire at certain intervals. This enhances the network’s security, however, the interval should not be so short that the users have to write the password down to remember which one they’re using.
When creating their own passwords, users should understand not to reuse parts of their name, logon name, email address, employee number, social security number, phone number, extension, or any other identifying name or code according to the Certified Information Systems Security Professional Study Guide (Steward, Tittel and Chapple). They should be advised not to set dictionary words, slang, or acronyms specific to an industry as their password but should instead use nonstandard capitalization and spelling and should switch letters and replace letters with numbers when possible for additional security.
The United States Computer Emergency Readiness Team cites three common mistakes users make when it comes to passwords. The biggest and most common mistake is using a weak password (Huth, Orlando and Pesante). They refer to it as “closing your front door but not locking it.” Dictionary terms, common phrases, your name and birthday constitute weak passwords as they are typically things that can be guessed easily. Using complex passphrases are much more secure. This means using a sentence or two and combining them, misspelling, adding numbers or special characters, and turning the sentences into shorthand create a strong passphrase. An example of this would be taking a sentence like “Complex passwords are safer”, according to Microsoft’s Safety & Security Center, and turning it into “ComplekspasswordsRsafer2001.”
The second mistake is using the same password for all accounts. If an attacker gains access to any one of a user’s accounts, they can access all of the user’s accounts if the same password is used for each one. It is more secure to use a separate password for each separate account and use a password manager to keep track of them. The third common mistake involves exposing passwords to others. This is done in a variety of ways maybe even without the user realizing it. Writing their passwords down, using public computers to log into accounts, and allowing your browser to remember your passwords are three of the common ways passwords are exposed to others.

Password Attacks

U.S. consumers have suffered more than $7.5 billion in damages due to malware and online scams according to Consumer Reports’ State of the Net 2009 survey (Consumer Reports). The majority of the losses came from malware while worms and viruses continue to cause billions of dollars in damage to corporate networks, email system, and data each year. As Kenneth and Jane Laudon explain in Essentials of Management Information Systems, malware is considered to be malicious software programs “which include a variety of threats such as computer viruses, worms, and Trojan horses (Laudon and Laudon).” Computer viruses consist of programs that attach executable files to other programs or files on a computer without the user realizing it causing the malicious program to be launched when the user performs a specific action. Worms are independent computer programs that copy themselves from computer to computer over a network. A Trojan horse is referred to as a software program that behaves in ways other than expected and serves as sort of a gate for viruses and worms to be introduced into a computer system. Often times, malware is used to send specific information to a certain computer system in order for malicious users to use the information for financial gain.
There are several ways a malicious user attempts to gain unauthorized access to a computer or network. One of the most common ways is by using network traffic analysis, also known as sniffing, where the attacker captures network traffic while users are attempting to authenticate and once they discover the password, they replay the packet against the network in order to gain access. Once they gain access, they can use a password cracking tool to extract usernames and passwords from the password database file. Once a password database file is stolen, an attacker can use a brute-force attack or a dictionary attack.
With a brute-force attack, attackers use a systematic trial of all possible character combinations to try and discover an account’s password. Similarly, a dictionary attack uses a script of common passwords and dictionary terms for the same purpose. Another common password attack is the hybrid attack which is a combination of a dictionary attack and then a brute-force attack. According to Stewart, Tittle, and Chapel, one way to monitor against these types of attacks is to use a password cracking tool on the password database file and require discovered passwords to be changed immediately (Steward, Tittel and Chapple).
Login spoofing attacks are also common these days. Attackers set up fake login screens that look like the real thing for a legitimate website, such as an online bank account. They email non-suspecting users with links to these login pages and some justification for the user to click on the link. When the user clicks on the link, it takes them to the fake login page where they put in the username and password for that site. The site records the user name and the password giving the attacker access to the user’s bank account.
Another common method for attackers to gain access to accounts is through social engineering. Attackers deceive a user into performing specific actions that give the attacker access to an account. For example, an attacker could call a helpdesk claiming to be somebody’s manager and request a password reset for their employee. Once the password is reset and they are given a temporary password, they are able to access the network under the employee’s account.

Authentication Methods and Password Management

Authentication is the process of verifying that a person is who they say they are. As mentioned previously, the most common authentication method is the password. There are three authentication type factors or information factors, according to the CISSP Study Guide, type 1 refers to something you know like a password, type 2 is something you have such as a one-time password token, and type 3 is something you are which could be a body part or other physical characteristic (Steward, Tittel and Chapple). Something you do and somewhere you are have been identified as two additional factors. Many organizations have started using multiple-factor authentication to grant access to secure resources. This way, if a token, a password, and a biometric factor are all used to authenticate, then a physical theft, a password crack, and a biometric duplication attack would all have to occur simultaneously and succeed in order to gain entry to the resource.

There are multiple authentication methods that can be used to create a stronger combination:

Public Key Infrastructure

According to The Government of Hong Kong’s Password Management, Public Key Infrastructure (PKI) uses mathematical algorithms to provide data confidentiality, data integrity and authentication in order to facilitate secure transactions (The Government of the Hong Kong Special Administrative Region). This technology provides proof of identity by using digital certificates. A digital certificate is a digital document which binds a public key to a person for authentication. A trusted Certificate Authority (CA) creates the digital certificate and digitally signs it using the CA’s private key which authenticates the identity of the requestor. PKI allows users to authenticate themselves on various applications without having to pre-register with the website and has proven particularly useful for companies that run multiple applications which require authentication.

Single Sign-On (SSO)

The single sign on method of authentication allows users to authenticate one time through the authentication server to access multiple applications both internal and external to the organization. This allows users to only need to keep track of one password for the multiple systems. Of course the downfall is if a single authentication event is compromised, all resources that the user has access to are compromised as well.

One-Time Password (OTP) Tokens

With the one-time password token, users are able to authenticate using two unique factors, types 1 and 2. This is referred to as two factor authentication. In this case, users authenticate with something they have which is the token, and something they know, which is the PIN or password. The physical token generates a one-time use password during specific intervals, every 90 seconds for example. The user will use that one-time password and the PIN for the token in order to authenticate which grants access to the protected resources. Many companies use this type of authentication for accessing their virtual private networks (VPNs).

Biometrics

The use of biometric factors is another common type of authentication method. This method falls under type 3, something you are. These are physical factors that are unique to an individual. Biometric factors include the following:

Fingerprints

The macroscopic patterns on the tips of the fingers and thumbs are used to authenticate.

Face Scans

Scanning the geometric patterns of the face is used for recognition.

Retina Scans

Measuring the pattern of blood vessels at the back of the eye are the most accurate form of biometric authentication.

Iris Scans

Iris scans are the second most accurate form, they focus on the colored area around the pupil but are unable to differentiate between identical twins as retina scans do.

Palm Scans

This is also known as palm topography and utilizes the entire area of the hand working much the same way as fingerprint scans.

Hand Geometry

This recognizes the physical dimensions of the hand including the width and length of the palm and fingers.

Heart Patterns

Measuring the user’s heartbeat ensures that a real person is attempting to authenticate.

Voice Pattern Recognition

This factor differentiates between one person’s voice and another relying on the sound of the user’s speaking voice.

Signature Dynamics

This examines how a subject performs the act of writing a string of characters.

Keystroke Patterns

This measures how the user types on a keyboard by analyzing flight time and dwell time.

Each of the biometric authentication factors has varying levels of accuracy and user acceptance. Which combination of authentication methods is dependent upon how secure the organization needs access to be and how much money they have available to spend on implementing such authentication methods.

Password Managers

A password manager is essentially an encrypted database that stores all of your passwords in one location that is protected by one master passphrase. There are a multitude of password management tools out there and it is important for each user or organization to pick the one that they are most comfortable with. Reading the consumer reviews on each of the tools will give a better idea of what people that have used it think about it. Many antivirus programs are now offering password managers as part of the computer security package as well.

Conclusion

While passwords are the most common method of authenticating on computer systems and websites, they are only effective when a single, strong passphrase is used for each account. Using password managers and other authentication methods significantly increase the security of computers and accounts by making it harder for attackers access the secured resources. User education plays a vital role in keeping networks safe from attack so strong password policies combined with a thorough understanding of how to be used appropriately will greatly reduce malicious attacks to user accounts and network resources reducing the massive monetary damages to users and organizations throughout the world.

Bibliography

Huth, Alexa, Michael Orlando and Linda Pesante. "Password Security, Protection, and Management." n.d. United States Computer Emergency Readiness Team. https://www.us-cert.gov/sites/default/files/publications/PasswordMgmt2012.pdf. 01 02 2015.

Laudon, Kenneth C. and Jane P. Laudon. "System Vulnerability and Abuse." Laudon, Kenneth C. and Jane P. Laudon. Essentials of Management Information Systems. Upper Saddle River: Pearson Education, Inc., 2011. 235-259. Book.

Londis, Dino. Informaton Week 10 Top Password Managers. 30 04 2013. http://www.darkreading.com/risk-management/10-top-password-managers/d/d-id/1109759? 01 02 2015.

Steward, James Michael, Ed Tittel and Mike Chapple. Certified Information Systems Security Professional Study Guide. Indianapolis: Wiley Publishing, Inc., 2011. Book.

The Government of the Hong Kong Special Administrative Region. "Information Security." February 2008. Password Management. www.infosec.gov.hk/english/technical/files/password.pdf. 01 02 2015.

Tomsho, Gregory. Guide to Networking Essentials. Boston: Course Technology, Cengage Learning, 2011. Book.

Consumer Reports. State of the Net 2009. June 2009.

Microsoft Safety & Security Center. Create Strong Passwords. 2012. Available from: http://www.microsoft.com/security/online-privacy/passwords-create.aspx. (accessed March 1, 2015).

-----------------------
March 1, 2015
Network Theory and Design