Home page logo

isn logo Information Security News mailing list archives

Re: Survey: Security Password Picks Are Easy Prey
From: InfoSec News <isn () c4i org>
Date: Thu, 28 Jun 2001 02:00:13 -0500 (CDT)

Forwarded by: Lloyd D. Crosby <lloydc () canada com>

I wish to express my concerns regarding this article.

To be sure, user passwords have been the bane of System Administrators
and Security offices since the dawn of computers, having become one of
the most thorny of computer management issues to date.

There are two issues here, first, the scope and depth of security
procedures and, second, the education of users to security threats and
procedures coupled with best personal security practices.

Regarding security procedures, my concern rests with the actual
application of adequate security measures. User passwords should be
addressed as an important, inextricably linked element of validated
security procedures that have been developed, promulgated and, yes,
fairly enforced across the board (read level playing field) in any
business. These security procedures should be realistic, dynamic and
flexible based upon regular Risk / Threat Assessments balanced with
the cost-effectiveness of solutions. This applies across the spectrum
of working environments from a hardcopy / physical environment to
softcopy / electronic and finally through to a Web / Cyber

To this end, one of the most effective and easily implemented security
procedures that can be applied to user passwords can be drawn from
those procedures utilized in the management of combination locks. When
a combination lock is first acquired, it has been given a default
setting at the factory. The same holds true of many components of
computer systems whether hardware or software. When it is brought into
service, a delegated security authority, with the appropriate tools
available only to security personnel, walks the user through the
process of changing the combination (read password), ensuring it
conforms with existing security guidelines. The combination is
verified separately by the security authority and the user on site
before being officially placed into service. Once confirmed, the set
combination is then recorded on forms duly prepared to manage
combinations, put into an appropriately marked envelope (one per lock
combination), sealed, dated and signed / countersigned along seams.
The envelope is then brought to the security office for safekeeping
being held in a securable container / cabinet with strict access
controls in place. Records keeping of these envelopes includes the
participants of the change, the date of the change and
cross-referencing of those locks / combinations the user has access

At this point, a situation is present which benefits the user and the
business. At the least, in those cases where it has been forgotten by
the user, the combination can be acquired by the user (with
appropriate verification). For the business, if the employee leaves or
is terminated, the business has the current combination(s), a list of
what access the user had and can commence combination changes thereby
maintaining security levels.

Another tangible benefit presents itself at this point; a means to
manage combinations along prescribed security guidelines. In high
security areas, combinations are changed on a regular basis, usually
every three to six months. Utilizing the date of the initial 'in
service' date of a lock and current combination, a timeline can be
defined whereupon combinations can be changed affording a higher
degree of protection overall. Moreover, when a combination has been
compromised in any way or when authorized access has been detected,
requisite combination changes can be managed more rapidly and

There is of course an increased burden placed upon the personnel and
resources of security offices in the areas of administration and
management of these procedures. The appropriate level of
implementation / burden can be assessed and more realistically
determined based once again on the Risk / Threat Assessments and the
expected return on investment (ROI) these procedures bring to
safeguarding business information and systems.

Regarding education, this is perhaps one of the most critical yet
least addressed aspect of security. If users are not made aware of the
perceived threats posed to their livelihood / business nor updated on
developments and, regularly informed and reinforced what impact lax
personal security practices pose, users become complacent and
apathetic. At this point, rather than being important Allies and 'Team
players' to implementing and supporting best security measures, users
develop unsafe practices that jeopardize security thus becoming the
weakest link. This has far reaching implications, particularly in a
softcopy / electronic and Web / Cyber environment.

Initial security education of new employees is essential. In many
cases, this can be readily conducted by security personnel during the
'Welcome Aboard' and induction phase of recruitment. Continued
awareness and reinforcement is just as essential. This can be
accomplished by any number of means, from regular refresher sessions
(especially after holiday seasons), posters placed in high traffic
areas, flyers in mailboxes to gentle email reminders.


Lloyd D. Crosby

----- Original Message -----
From: InfoSec News <isn () c4i org>
To: <isn () securityfocus com>
Sent: 26-Jun-01 05:07
Subject: [ISN] Survey: Security Password Picks Are Easy Prey


By Jay Lyman
Monday June 25, 2001

ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]