Skip to Content

On Passwords

So the LinkedIn Hack is about a day old now, and we still don’t know the full extent of what happened. Meanwhile, eHarmony has been hacked as well, with 1.5 million passwords stolen. 2011 was even worse, so there are definitely people out there that are after your passwords.

The purpose of a password

In todays internet world, passwords are the keys to resources that hold data that people use. Sometimes it’s trivial data like your Instagram pictures, sometimes it’s commercial data like online banking or your ERP system access.

In any case, it’s something you’d like to make sure can only be used by yourself.

Threats to passwords

If a bad guy wants to get access to your password, there are several attack vectors:

  • He can guess. A scarily large number of users choses trivial passwords, like this analysis from a breach last year shows:

    Bildschirmfoto 2012-06-07 um 13.06.06.png

  • He can use social engineering or phishing emails to get you to tell him your password.
  • He can hack a server and brute force the acquired list of hashes, which is what people are doing right now with the LinkedIn file.

LinkedIn has probably already started alerting their users to change their password, or may lock users and force them to reset the password so that the data from the breach cannot be used there. But there is a bigger danger: studies show that passwords are often re-used for other sites, so attackers will run scripts that test the passwords on other popular sites like amazon.com.

What can you do?

Troy Hunt has a massive series of blogs that deal with passwords, I’d like to quote his three most important rules:

“What’s a weak password? It’s a password which doesn’t adhere to these three tenets:

  1. Uniqueness: You haven’t used it anywhere else before. Ever.
  2. Randomness: It doesn’t adhere to a pattern and uses a combination of upper and lowercase letters, numbers and symbols.
  3. Length: It has as many characters as possible, certainly at least a dozen.

When your password doesn’t follow these three basic practices it becomes vulnerable to “brute force” or in other words, a hacker who has hold of a password database has a much greater chance of exposing even cryptographically stored passwords.”

The “uniqueness” point is probably the most important one here. I learned that lesson the hard way after the Gawker Breach in 2010 where I spent quite a few days resetting passwords everywhere. I had a ‘standard password’ that I used for many trivial web sites, like blogs where you need to register in order to be able to comment.

Passwords in SAP systems

Even though all this talk is about petty web applications, the exact same issues apply to your SAP installation. When you start to think about moving to the cloud, opening your systems for mobile access or having an external facing portal, password security needs to be tight.

Untitled.png

Here are the Profile parameters for ABAP systems as well as the UME properties for password rules in Java systems.

Ideally these parameters adhere to a company wide security policy (i.e. they’re identical for all systems in your company, wherever possible) and they extend to all devices with access to company IT systems.

There are (at least) three other building blocks that also need to accompany the password complexity rules:

  • A secure password reset procedure. The most important thing here is that whoever does the resetting must make sure that you actually are who you claim you are. You wouldn’t want people to be able to impersonate someone in management, have their password reset and then login with their credentials. In lots of companies that I have visited that would have been easy to do. Again, Troy Hunt has a good blog on this.
  • Secure initial passwords. In about half of the companies that I worked with during my consulting years the basis guy would create an account for me and the initial password would be “initial1” or “init”. Always. Sometimes they might make it “1234”. If you do that for your new users you might want to reconsider.
    How you get to the initial password is also important. In most companies I’d be told the ‘secret’ on the phone or I received an email. One company did it really well and required me to show up at the help desk with my ID card, then I’d get the password on a piece of paper there.
  • Make sure you change your default passwords. There are quite a few in your SAP system, and lots of other system (routers etc.) also have them. It’s trivial for a hacker – inside or outside your company – to google for a list.

But isn’t there an alternative to passwords?

Well… at least you can make it easier on your users. Single Sign-On (SSO) is a method that allows you to login once and get access to many systems.

Of course this also makes the security of the one central password so much more important! You may also add a second factor authentication (maybe a hardware token) to enhance security.

But that’s still a password.

I’m afraid so. There are ongoing research efforts, but it seems we’ll be stuck with passwords for quite some time.

Having said that – why don’t you stop reading and go change those sites where you still use your favourite password?

21 Comments
You must be Logged on to comment or reply to a post.
  • A long time ago, in a job far, far away, I was a Unix systems admin and I took several steps to make people think harder about password security. The one I thought would be controversial, but which it turns out people didn’t actually seem to mind, was that I attempted to brute-force users’ passwords. My process got sufficiently complex that I was able to use the processing power of all the various machines in the department that were left running, and normally idle, overnight. If my process found a password, it would email the affected user and suggest they change it. If they didn’t, I’d have words a few days later.

    The dictionary I used for this contained not just common English words, but foreign language dictionaries and specialist dictionaries too. I also constructed “word” lists by joining together short words with punctuation. I didn’t consider anything out of bounds – after all, if I could do it so could somebody with different intentions.

    The first run of this process obviously discovered a lot of passwords. After 6 months, or so, when people had figured out how to construct “strong” passwords, I found hardly any. Then I’d extend my dictionary a little and catch a few more.

    It really isn’t hard to do this, and it really isn’t hard to choose passwords to defeat it. All of the users of my systems learned that, and I hope they are still choosing strong passwords today!

    • Excellent advice – I did the same thing at a former employer in the early 90s.

      I think it’s reasonably easy to make it work in a corporate environment, where it breaks down quickly is on the web. Every day there are 5 more sites that require you to register, and if you’re not using a password manager like LastPass or 1Password already 8i do since the Gawker episode…) that helps you generate, remember and autofill passwords it’s just too much for anybody.

      The state we’re in today is a sign of the success of the internet, unfortunately the security ‘industry’ or academia hasn’t managed to win the race and come up with a replacements for passwords yet.

      • I don’t think there ever will be a replacement for passwords. Good security will always rely on a piece of secret knowledge – something non-physical that can’t be stolen. Even biometrics aren’t good enough – as gruesome as it sounds, they can be stolen just like any other physical token.

        To prevent things like yesterday’s LinkedIn disaster we need two-factor authentication – both a password and a physical token. Possession of either one on its own will get you nowhere. We really don’t have a good system for that yet. Is two-factor SSO the holy grail? I’m not sure. I haven’t thought hard enough about how such a system would work, and what its weak points would be.

      • Thanks for the tip on lastpass!

        Downloaded and installed.

        I tried KeePass once, but it didn’t work out well. So I still keep all my passwords in my head, but it’s getting difficult with so many websites and over 50 SAP logons.

        I’ll have a go at lastPass instead.

    • Hi Susan,

      Does your algorithmic dog have a constantly changing 5 character long name and do you randomly switch between the different calendar types for the number of years (length 2)? 🙂

      Anyway, no matter how good your PWD is there should be no surprises when a system offers a password RESET self-service with the ability to send you your old password in cleartext back again. That means that the password is saved as a 2-way hash and is reversable. Bad idea and sooner or later gets misused when found.

      Cheers,

      Julius

  • A thought provoking blog. I spent the evening changing a number of my passwords last night, a horrible process, but I was also lazy and reused a password, until now.

    There has to be a change in the future, the number of passwords that users are expected to remember and be unique is becoming unmanageable. SSO is great, but try getting your grandparents to setup SSO or a password manager at home, it may be something an IT user can do but can consumers be expected to keep up with this? Consumers now have passwords for everything, utilities, banking, pension etc are all moving online. The information that you used to get in an envelope now requires you to remember a unique password for each one. This is not scalable for a consumer no matter whether the passwords are 4 digit pins or minimum 8 characters with case number and special characters mandatory.

    I liked the idea of patterns instead of characters, perhaps the change at some point will be made once we move away from character based input mechanisms.

    JohnA

    • I agree. Web passwords already are unmanageable to most people, and that’s precisely why we see that about 1/3 of LinkedIn users falls into the top 10 above.

      Passwords are effectively a way of “sharing a secret” to identify oneself. Outside of the Web, there are institutions which do not rely on passwords, but on commonly shared secrets (how many savings accounts do you have with us? what is your wife’s first name? did you perform any ATM transactions in the past week?).

      I wonder how we could _completely_ get rid of passwords, no matter how they’re represented (ascii characters, patterns, swipe gestures) and rather rely on alternative methods on the Web? With an appropriate approach, they could be just secure against threats (social engineering, keylogging etc.) as passwords are nowadays, but less inconvenient.

      • Hi,

        there are 3 traditional factors for authentication: 1. something what you know (e.g. passwords), 2. something what you have (e.g. hardware token) and 3. something what you are (e.g. fingerprint). So it seems like you don’t like the first factor and would like to use something else. So you have two options: use other factors or come up with new factor.

        I’ve seen discussions about location being additional factor. For example as far as I know Facebook asks you additional questions if you are logging from “unusual” location. But things like web proxies can easily bypass this check.

        My biggest hope would be in using mobile phones as the second factor. I think that at this moment it’s quite powerful solution.  But when everyone will start using it then the bad guys would invest into maleware that can steal tokens sent to your phones. Still the password will be still used as the first factor.

        Probably I should be more optimistic because it’s Friday and long weekend ahead but I’m really skeptic about seeing passwords disappearing in near future.

        Cheers

  • on the password reset thingy:

    I hate security questions!

    Those are the easiest way to hack into someone’s account.

    The default questions are mostly something like:

    – Date of birth

    – mother’s maiden name

    – first pet

    a quick google on the user’s name and looking a bit on public profiles, gives you this info easily!

    How many times I have seen fellow students of mine open a new mailaccount on Hotmail: Firstname.lastname@hotmail.com, with the security question: “What’s my last name?”

    Aaaaargh!

  • Hi Frank,

    thank you very much for your blog. I totally agree with you. For me the problem was to remember all the single passwords. Therefore I decided to use Keepass as a password manager. You can create passwords there too. I have also figured out, how you login to a SAP system directly from Keepass. You find it my blog Using Keepass Instead of SAP Logon.

    Regards,

    Peter

    /
  • Very interesting topic. The requirement of strong password and the requirement of periodic change of password are making passwords unmanageable to most people. I remember one of my fellow developers a few jobs ago had defyingly written the system password on his white board because he couldn’t remember all the constant changing passwords.

    I believe the password replacement is coming soon. The new Android Ice Cream Sandwich mobile operating system has the capability to scan the user’s face to unlock the mobile phone. The upcoming Samsung Galaxy S III has the ability to scan the user’s eyes direction to ascertain if the user is reading a long article. Since all mobile devices and laptops are now equipped with front-facing camera, I believe very soon that facial-recognition application will be used as substitution to password to log on to web sites or mobile app. The technology is there already. It is just a matter of implementing it.

    simon

    • I was just about to raise the “periodic changes” issue – you beat me to it!

      Many years ago a friend of mine had a saying – “Your password is like your toothbrush. You should keep it to yourself and change it every few months.” That made sense back then, when you had few passwords to remember. Now though, when there are so many – my password database has over 100 entries in it today – when they insist on minimum levels of complexity, and if you try not to use a password for more than one service, then changing them regularly just isn’t practical. Is it still necessary? I’m not sure.

      • The  main reason for enforcing change is that Admins know that people will stick to one password for everything otherwise. Also, it’s not unheard of for colleagies to share passwords. The password change requirement (which youndon’t often see on the web…) is a white flag admitting that while everybody knows about the problems noone has yet figured out how to fix it. I honestly don’t understand why corporations don’t move towards SSO faster…
        • On the SSO question, here’s a scenario (and the case in my organization) why management actually told me “do not implement SSO for SAP.”  About half of our employees are school teachers.  They each have a workstation in their classroom.  Many of them are in the habit of leaving it logged in all the time, and they often don’t logout or lock it when they step out of class for a few minutes.  Although we enforce a screensaver that kicks in after 5 minutes with a password lock, there’s that 5 minute window during which a student could step up and use the workstation with the teacher’s logged in credentials.  So, this is already bad, but our saving grace for ESS — and by extension the teacher’s private information, like SSN, pay details, etc — is that it requires a separate login other than the network, so the student who doesn’t actually know the password cannot get in in that 5-minute window before the teacher returns to the classroom.

          That said, our help desk is crying out for SSO, because they spend the bulk of their time on — you guessed it — password resets.

          • Explaining / training secure behaviour to laymen is what I consider the biggest struggle in our job. Just think about the Windows security warnings on installation/update of anything or certificate warnings – are normal people supposed to understand that and – even worse – make a choice based on the information given?

            For secure login for “consumer” type users I’m a huge fan of the Yubikey…

  • This is an excellent article stating the importance of using robust password and changing it often to make it confidential. Also it is surprising to know the number of users having such default passwords. Quite unbelievable.

    I think we are in the next journey towards the development of password management system. Another niche market in IT industry on the anvil.