Weak Password Situation Spreads from Data Center to Mobile Devices

Ralph DeFrangesco

Password management, I hate it! After 25 years in the business, I still don't have a great way to handle a large amount of passwords. I recently upped he number of personal accounts that I directly manage. I now have 22 accounts that I get to remember a login and password for. This does not include any work-related accounts. There have been times where I have had 100 servers to remember a login and password for. I have tried many different ways to manage the password menagerie, including Excel spreadsheets, single sign-on, encrypted files, password management software, and random password generators.

 

It's not that I can't generate a creative password. The problem comes when I need to use them; I just cannot seem to remember them when I need them. Here is a typical scenario: You are a systems administrator and you manage 50 servers. You ae using a password generator and change passwords on the first of every month. You set your generator to create a password 12 characters in length and end up with X8uhN90JQQ1B. Good luck remembering this password. So, you have no choice but to write it down. You just violated more best practices than I care to document here.

 

Now we have to answer the age-old question, do we use the same password on every server? My recommendation is not to do it. What I have done in the past is to group servers by function: development, test/QA, and production. Creating separate passwords for all three will add another layer of protection and impress the auditors as well. The environment that I described is a fairly small one. Let's consider a shop where you are responsible for servers (UNIX and Windows), routers and firewalls. You can easily see how the problem compounds.

 

The password problem has spread out of the data center and to mobile devices. Many users, including IT professionals, do not even bother to secure their devices, or use poor passwords to protect them. Credant Technologies recently published a survey of 227 IT professionals asking how they protect their devices. Thirty-five percent of IT professionals surveyed said that they do not even bother to use a password to protect their device. This was marginally better than non-IT professionals, among which 40 percent admitted to not using a password. Who wants a password on their mobile device, anyhow? It's just another password to remember, right? (Of course, I am being facetious.)

 

The problem is not going to go away. In fact, it's just going to keep growing. Technologies such as virtualization make it very easy to configure new servers with little effort. I don't have an end-all be-all answer except to consolidate. Maybe we should go back to the monolithic model of centralized processing. There is a lot to be said for remembering just one password.



Add Comment      Leave a comment on this blog post
Jun 30, 2009 12:48 PM Bruce Bruce  says:

What I like to use is Atek's Logio Secure Password Organizer. It's a little standalone credit card size device, the advantages being that it is totally portable and it is totally insulated from computer/internet hacking. It takes time to input data using the multi-tap method, but for me it's been well worth that time invested because now all my data is securely stored in a little device I carry around with me and all I need to remember is my master passcode to get to the data. The product got some tough reviews from some writers who are apparently technology snobs...the same people who are probably using the same passwords everywhere or storing passwords in spreadsheets or on paper! Well all I can say is this is a love it or hate it product and I'm in the former camp.

Reply
Jul 1, 2009 6:03 AM Dana Dana  says:

I have about 2 dozen accounts, imagine having to remember all the passwords for all those accounts. I used to write them down and then eventually end up losing them. On a friend's suggestion, I started using Billeo http://www.billeo.com/page/homepage.jsp?sitename=Billeo  It's a free browser plug-in that manages passwords. It is VeriSign secured & TRUSTe certified so my personal information is safe. Very handy!

Reply
Jul 8, 2009 2:45 AM Michael Stagar Michael Stagar  says:

Dear Ralph:

1. Thanks for reading my post.

2. Expand your horizons: Use cryptography!

3. Go to www.history.org/foundation/journal/.../cupidcode.cfm

4. The cupid code was used by the German Secret Service. It will take you no longer than 2 minutes to place this simple coding system on a spreadsheet.

5. However, you should not directly use this cryptographic code directly (it is well known in the cryptography community); but you can alter the process by changing the first descriptive row (cupid) with another word and if you are really mathematically inclined, alter the first column using only odd numbers, then even numbers, or if you are really mathematically inclined use prime numbers, etc. You could even use multiplication tables within each cell and divide by a number to create another whole number. The possibilities are endless. Throw in the syntax of another language, would make it very impressive.

6. This would resolve the issue of multiple passwords for a multiple of systems.

7. Some very simple programming would allow for monthly changes.

8. The use of symbols and the use of lower case and upper case would make this system more dynamic.

9. Creative programmers can expand this system exponentially with some very small changes.

10. Remembering the current and historical passwords become a simple process of an audit trail. Naturally the next question, becomes: "What password will I use to store my coding system?" Not difficult; start reading about cryptography and expand your horizons.

11. One word of warning: Don't pass out the coding sheet-duh!

Semper Fi

PS: As an auditor and CFE, I tend to get impressed when the IT Adm. uses cryptography to secure the systems that is simple, yet dynamic.

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.