Quick, before we go on: what was your first thought when you saw the title of this post?
Let me start with
(There’ll be more 😉 ) comment this blog by letting me know how many customers you know that are using “initial1” as the default initial password for SAP systems. Additional LIKEs will be given for other trivial ones you may have come across (like “welcome”, “password” or the day of the week).
Before I continue with this blog I would like you to head over to WIRED to read Mat Honan’s post on his cloud security desaster:
Scary, isn’t it? The Twitters have been going wild yesterday – tales of “epic hacking”, “iCloud exploit” and “security flaws” were told, when in the end it comes down to humans trying to be helpful.
The root cause for this case was a bad password reset process at Apple. When somebody called Apple and asked for help getting back into their account because they couldn’t remember their password, all that Apple asked for were the last 4 digits of your credit card (which the hackers got through a bad procedure at Amazon – they let you add a bogus credit card number AND a new email address AND send you the last 4 digits of all your credit cards to that new address) plus your billing address (which is probably available through WHOIS, Facebook or a plethora of other services).
All that, of course, is necessary because more and more services rely on passwords, and passwords (at least if they’re good) are hard to remember. If you fail to remember them you need a procedure to be able to reset them, which suddenly is the weakest link in your online security chain.
A similar bad example are all the sites that send you your password in clear text (if you know some I suggest you delete your account there IMMEDIATELY until they fix that).
Just as bad is the “3 questions” meme – if you have entered your mother’s maiden name as a password reset question anywhere you’re in trouble. Stuff like that or your first school, street or pets name can be easily found on social networks and cannot be considered secure. If the question to reset your password contains your favourite colour you’re basically replacing your complex 16 character password by “blue”.
If password reset questions is all they’ve got make sure to invent complex answers to those questions (like “mothers maiden name?” – “dfl%R3SSx4”) and write them down in your favourite password manager. If you want to mess with support stuff you can try “I really can’t remember” as an answer as well 😉
To get back to SAP systems – find out what the procedure to reset a password in your companies or customers SAP landscape is. Think of ways this could go wrong, and if you find some, report them to the responsible security manager (if finding that person is a struggle you get extra points for discovering an additional vulnerability).
If it’s done well the password reset procedure has a method of making sure you are who you say you are. I have been at countless customers where you’d call help desk and tell them a user ID, and their response would be “I’ll reset it to initial1, have nice day” (hence the title of this blog). In my 6 years of SAP security consulting I met one customer who really did it right, you had to walk over to the IT guy and show your badge, and he’d hand you a sticky with a complex initial password. It doesn’t have to be that strict, but anything that doesn’t require any kind of identification is likely to create issues.
While the vulnerability in the case above was in the password reset procedure, the bigger threat is password re-use. If one site’s password database is leaked and you’re re-using that password on other web sites your accounts on those sites are immediately compromised as well.
As using a different long complex password on every site is hard I can understand you haven’t done it everywhere yet. Using a password manager like KeePass, 1Password or LastPass is a really good idea. LastPass has something called the Lastpass Security Challenge which lets you analyze your passwords for weak ones or re-use.
Whatever you’re using, please go and re-assess your passwords for strength and uniqueness. Go make a list of those sites, create a daily calendar entry and change two of those to better ones every day.
As expected, it doesn’t really get better in the cloud. I know we all want to make it easy for users, but you should really aim at making sure security is taken seriously. If possible, rely on something better than passwords – certificate based authentication, tokens, anything that adds a second factor (something you know + something you have).
If you are a GMail user (which may put you into a high risk group in the context of this blog) please go there and activate Two Factor Authentication NOW. It’s a lot easier than it sounds (Matt Cuts has a blog with good explanation) and it’s a great experience that shows how easy it is to dramatically enhance security for an online account without compromising usability.
While you’re at it you may also check which applications have access to your GMail account and make sure they’re all still needed (same for Facebook and Twitter).
I’m afraid password security issues will be with us for quite some time. It’s well worth thinking about those issues regularly, it’s far too easy to get into the flow and let things deteriorate. We’re all adding new sites with passwords and links to other sites on a daily basis which may decrease our online security. This needs to be a constant habit, not a one-time activity.
Add a monthly recurring calendar appointment to check your state of password security and application permissions.
It’s worth the effort.
I hope that blog will help you stay secure. If you have come across some good (or bad) practices around password security in the SAP environment I’d be happy if you could share them in the comments. We’re all happy to learn, even if it’s from other peoples mistakes.