One of the often-heard pieces of advice when it comes to managing passwords is to enforce changing them on a regular basis. However, as businesses with overzealous administrators or IT managers will testify, an overly aggressive stance on this front greatly increases the chances for passwords to be forgotten.
While it is a fairly easy matter to reset an Active Directory password for an end user, there are situations when things may not be so easy, as the experiences of Jeremiah Grossman, CTO of Whitehat Security, show. Due to his line of work, Grossman applied what most would consider a paranoid level of security on his most important work files, which entails scrambling these files with AES-256 encryption into a disk image.
Grossman’s rationale was simple: While he may be forcibly compelled to give up his laptop’s password – thereby defeating the full disk encryption – the unmounted encrypted images may yet evade notice. And thanks to the encryption, these protected files will be just as tough to crack should the hypothetical assailants make off with all the files on his laptop’s disk drive.
What Grossman didn’t count on, though, was forgetting the password the day after a periodic password change. After a week of failing to remember the password, he finally resorted to brute-force cracking. However, the high level of encryption meant that things were not so straightforward.
“I figured I was only missing between 1 – 3 characters of the password… a day of cracking, maybe two…” writes Grossman in a blog entry that detailed his security ordeal. “Then my fuzzy memory suggested I might be missing as much as 6 characters. If that be the case, by sheer math, at least multiple decades worth of cracking would be necessary at current speed.”
Thankfully, Grossman was able to recall more specifics on the missing six characters in his password. By reducing the combinations that needed to be guessed, he was eventually able to recover the password after seeking the assistance of other experts with access to the computation resources and tools to brute force the password at a substantially faster rate.
The takeaway here is this: Passwords can, and will, be forgotten. So while more security is generally a better idea, businesses should be careful not to be placed into a position where a forgotten password results in loss of business critical data. On that front, it may make sense to make a backup of important administrative passwords or encryption keys.
As Grossman writes: “Clearly I need paper backup, and thinking maybe about giving it to my attorney for safekeeping where it’ll enjoy legal privilege protection.”
Of course, most scenarios can be catered to with the use of a good password management utility. If you’re interested in exploring management tools for helping your employees manage their passwords, you may want to check out Three Tools for Proper Password Management.
What are your strategies to ensure that passwords don’t get forgotten?