So the LinkedIn Hack is about a day old now, and we still don’t know the full extent of what happened. Meanwhile, eHarmony has been hacked as well, with 1.5 million passwords stolen. 2011 was even worse, so there are definitely people out there that are after your passwords.
The purpose of a password
In todays internet world, passwords are the keys to resources that hold data that people use. Sometimes it’s trivial data like your Instagram pictures, sometimes it’s commercial data like online banking or your ERP system access.
In any case, it’s something you’d like to make sure can only be used by yourself.
Threats to passwords
If a bad guy wants to get access to your password, there are several attack vectors:
- He can guess. A scarily large number of users choses trivial passwords, like this analysis from a breach last year shows:
- He can use social engineering or phishing emails to get you to tell him your password.
- He can hack a server and brute force the acquired list of hashes, which is what people are doing right now with the LinkedIn file.
LinkedIn has probably already started alerting their users to change their password, or may lock users and force them to reset the password so that the data from the breach cannot be used there. But there is a bigger danger: studies show that passwords are often re-used for other sites, so attackers will run scripts that test the passwords on other popular sites like amazon.com.
What can you do?
Troy Hunt has a massive series of blogs that deal with passwords, I’d like to quote his three most important rules:
“What’s a weak password? It’s a password which doesn’t adhere to these three tenets:
- Uniqueness: You haven’t used it anywhere else before. Ever.
- Randomness: It doesn’t adhere to a pattern and uses a combination of upper and lowercase letters, numbers and symbols.
- Length: It has as many characters as possible, certainly at least a dozen.
When your password doesn’t follow these three basic practices it becomes vulnerable to “brute force” or in other words, a hacker who has hold of a password database has a much greater chance of exposing even cryptographically stored passwords.”
The “uniqueness” point is probably the most important one here. I learned that lesson the hard way after the Gawker Breach in 2010 where I spent quite a few days resetting passwords everywhere. I had a ‘standard password’ that I used for many trivial web sites, like blogs where you need to register in order to be able to comment.
Passwords in SAP systems
Even though all this talk is about petty web applications, the exact same issues apply to your SAP installation. When you start to think about moving to the cloud, opening your systems for mobile access or having an external facing portal, password security needs to be tight.
Ideally these parameters adhere to a company wide security policy (i.e. they’re identical for all systems in your company, wherever possible) and they extend to all devices with access to company IT systems.
There are (at least) three other building blocks that also need to accompany the password complexity rules:
- A secure password reset procedure. The most important thing here is that whoever does the resetting must make sure that you actually are who you claim you are. You wouldn’t want people to be able to impersonate someone in management, have their password reset and then login with their credentials. In lots of companies that I have visited that would have been easy to do. Again, Troy Hunt has a good blog on this.
- Secure initial passwords. In about half of the companies that I worked with during my consulting years the basis guy would create an account for me and the initial password would be “initial1” or “init”. Always. Sometimes they might make it “1234”. If you do that for your new users you might want to reconsider.
How you get to the initial password is also important. In most companies I’d be told the ‘secret’ on the phone or I received an email. One company did it really well and required me to show up at the help desk with my ID card, then I’d get the password on a piece of paper there.
- Make sure you change your default passwords. There are quite a few in your SAP system, and lots of other system (routers etc.) also have them. It’s trivial for a hacker – inside or outside your company – to google for a list.
But isn’t there an alternative to passwords?
Well… at least you can make it easier on your users. Single Sign-On (SSO) is a method that allows you to login once and get access to many systems.
Of course this also makes the security of the one central password so much more important! You may also add a second factor authentication (maybe a hardware token) to enhance security.
But that’s still a password.
I’m afraid so. There are ongoing research efforts, but it seems we’ll be stuck with passwords for quite some time.
Having said that – why don’t you stop reading and go change those sites where you still use your favourite password?