I l @ ve RuBoard |
Authentication management is a combination of user education and appropriate use of technology. Users have to understand the importance of protecting their identifier and password and how to select good passwords. Technological solutions need to be implemented to help the user select good passwords and to be able to apply the appropriate level of security to the resources as needed. Password SelectionThe selection of passwords is still paramount to system security. A good password is a password that is not cracked by a password cracking method and is easy to remember. Password management is primarily a user issue. Education of users is paramount in the maintenance of password security. This education should include how to set passwords, how to select good passwords, and the importance of passwords. Users must understand that poor passwords jeopardize their work, as well as the work of everyone else who uses the system. System managers should be vigilant about passwords. Password cracking is the most effective method of gaining privileges in a system. You can run password crackers against your system, but this takes a lot of computing resources and requires that there be a copy of the cracking software and a customized dictionary on the system that could fall into the wrong hands. It has been suggested that these dictionaries can be preencrypted and stored on tape, so you do not have to run the password cracking software. You only have to match the encrypted passwords to encrypted words from the tape. This would utilize less processing time but require more time for the tape processing. It may be better to take the proactive choice of installing a package that evaluates the quality of a password when the password is entered. This does not require the computational resources, because the password is captured as plain text and can be rapidly evaluated. There are a number of tools to choose from including Password+ and npasswd. The tool you select should be flexible enough to allow you to customize your environment with the inclusion of special dictionaries that have words and phrases specific to your industry, or to your company, or to your employees . Password cracking, the difficulty users have in selecting good passwords, and the widespread proliferation of network snooping that will compromise even good passwords, have made reusable passwords of limited value locally and a major security issue over an untrusted network. That is why reusable passwords are falling into disfavor and so much effort is being put into onetime passwords. A study done in 1989 by Dan Klein at Carnegie-Mellon University used these methods to attempt to crack a list of 13,797 actual passwords from a variety of sources. The total dictionary utilized was comprised of 62,727 words. This process guessed 3,340 passwords. Table 10-1. Sources of Passwords [55]
Table 10-1 contains the information revealed by the study about the source of passwords selected by users. |
I l @ ve RuBoard |