Password Administration

Password administration is an important part of any access control system. The selection, management, and auditing of passwords must occur through either automated or administrative methods. The selection of a strong password is critical to providing good access control. In addition, the use and control of a password must be managed throughout its entire life cycle. Auditing all selections, management, and use of passwords is another important part of password administration. The following section covers part of password administration.

Selecting a Password

The first part of password administration involves the creation of the password itself. As you have learned from the previous sections in this chapter, the selection of a strong password is very important. The stronger a password is, the more difficult it is to crack.

The mistake made most often regarding password selection is the use of a default system password or the use of a password that is easily guessed. When auditing security implementations at corporate sites, the sheer number of systems that still have default accounts enabled and default passwords assigned is amazing. Never leave a system account at the default password-it is one of the first things an intruder will attempt.

Most access control systems provide for the implementation of password selection policies. These policies can be configured to control many options such as:

  • Minimum password length

  • Required character usage

  • Disallowed character usage

  • Disallowed password usage

Requiring a minimum password length ensures that users are required to use passwords that are at least the length configured in the policy. Administrator's can also configure the policy so that special characters, numbers, or mixed-case characters are required in the password. Some characters can also be disallowed in the event that there is a requirement that some characters not be used, as is the case in some SSO implementations. And the last (and one of the most important) options is disallowing specific passwords. This can be as simple as denying the password "password" or as complex as preventing users from reusing any of their previously used passwords or variants thereof. This feature is great for implementing a good password selection policy.

Some of the best practices first mentioned in the "Something You Know" section of this chapter, use words that are easy to remember (so it is not tempting to write them down) but are difficult to guess. In addition, replacing letters in the words with numbers or symbols will help by adding another layer of difficulty when trying to crack the password. Ensure that none of the following are used in the password:

  • Names

  • Important dates

  • Phone numbers

  • Words (in any language) which could be found in a dictionary

  • Simple words such as "password" or "computer"

By following these recommendations in your password selection policies, you will be able to enforce the use of strong passwords that are difficult to crack and impossible to guess.

Exam Warning 

Knowing how to create strong passwords is the first step in knowing how to configure access control policies to require them. You may be asked questions about the relative security of different passwords on the exam.

Managing Passwords

Another important part of password administration is password management. This includes anything that happens to the password during its entire life cycle, from a user needing their password reset to automatic password expiry. All access control systems provide some form of password management capability and each offer varying degrees of management control.

The most common part of password management is the process of resetting a user's password when it has been compromised or (more commonly) forgotten. While resetting passwords may seem tedious and a waste of time, keep in mind that the alternative is the user writing down the password which can cause even bigger problems. In most access control systems, passwords are reset, either to a random one-time password or to a specific user-identified password. The alternative to the password reset method is an access control system where the administrator can access the user's password and give it to them again. This is considered a poor security practice and is very rarely implemented.

When a password is reset to a one-time password, the user is required to change their password again the next time they log on. This is a good system to implement, as the administrator never knows what the user's password is. When this system is not implemented, it is common for user's to blame the administrator for accessing their account because the administrator has their password. By requiring user's to change their password upon initial logon, administrators are able to absolve themselves of this responsibility and make the users feel more secure.

Another important part of password management is enforcing the use of automatic password expiration. This is the process of requiring users to change their password on a regular basis determined by the overall security policy for the organization. Most access control systems have the ability to automatically expire passwords after a specific timeframe, and require user's to choose a new one. This process is kept secure by requiring users to enter their old password prior to allowing them to select a new password. During this selection, the rules set forth in the password selection policy come into play and enforce the selection of a strong password.

Using the access control system to manage the number of unsuccessful logins allowed also helps increase security. If the access control policy allowed for unlimited unsuccessful logins, using brute force techniques, a hacker could break into any account. By limiting the number of unsuccessful logins, this technique is hampered as the account is disabled after the pre-determined number of unsuccessful login attempts is exceeded. An administrative effort is typically required to re-enable the account, which makes the administrator aware of any problems with accounts being locked due to brute force techniques.

Some access control systems offer the users the ability to reset their own passwords or unlock their own accounts. These systems require the user to reply to questions from the system with pre-established answers. If the answers are correct, the account can be re-enabled or the password reset. This cuts down on administrative effort and is typically safe to implement as long as the use of this system is properly audited.

Auditing Passwords

Knowing and understanding what is happening in their access control system is one of the most importing responsibilities of a security administrator. Auditing procedures should be implemented to determine the overall functionality of the access control system as well as to help head off possible attacks. There are several different methods of performing auditing, which vary with each access control system. The most important aspect of auditing is the knowledge of what to audit and what the audited data means.

When setting up auditing as it relates to password management, it is important to audit every single transaction that occurs. This includes not only the use of passwords, but also any changes to the password, resets to the password, or changes in account status. By auditing all of these factors, the audit logs can be examined in real time or examined later to determine how well the system is performing or if there are any identifiable security problems.

When analyzing the data gathered in audit logs, it is generally considered beneficial to find data indicating unusual behavior. For example, if an audit log shows a dramatic increase in the number of unsuccessful logins, it could indicate that someone is trying to crack the passwords on some accounts. Or it could mean that a large number of users just returned from vacations and have forgotten their passwords. The important part of this is learning how to recognize trends that indicate unusual behaviors worth looking into. After the behavior has been identified, the security administrator can move on to determining the cause, but they have to become aware of it first and that is where auditing comes into play.

Another advantage to auditing occurs after it has been determined that a security breach has occurred. Armed with this knowledge, the administrator can go back through the audit logs and determine other systems that may have been compromised by examining successful logins from the compromised account. This will allow them to determine the extent of the damage and possibly catch the intruder in the act.

While many organizations have good audit logging practices implemented, most do not have a reliable policy for audit log analysis. Audit logs are useless if they are not analyzed and follow-ups are not done when unusual behavior is detected. This is a very important practice to implement in order to provide a secure access control environment.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net