The only light in the small room is from a computer screen. Its green glow reaches out to wash over a tired face and ends abruptly at eyes that seem incapable of blinking or closing; they no longer glisten. They are dry and scratchy. The only movement in the room are fingers flashing over the keyboard and a few more butts falling from a stuffed ashtray onto a plate of half-eaten stale toast. It's about 3:00 am. In the last 18 hours, the number of passwords that have been compromised is growing. It's often a competition of who can guess the most passwords.
Some of these accounts will be broken into immediately; some will be shared or sold among others; some will be used and monitored without the account owner ever knowing; some will be exploited for confidential information and access to other accounts; passwords might be changed if the account hasn't been used in a long time and programs uploaded; and a very few will be trashed, i.e., files deleted, web pages defaced or changed, etc.
The above scenario of how passwords are guessed is dated. Today, most organizations restrict the number of incorrect guesses. What happens to compromised accounts has not changed a great deal from the above scenario. Recent trends include using them to set up SPAM bots (sending SPAM out from your personal email address) and installing programs to record keyboard strokes.
Recent events on the Queen's campus have made the threat to NetIDs and passwords very real.
This article will describe why password strength is so important in protecting Queen's University from information disclosure and phishing scams and protecting access to Queen's Administrative systems which contain personal and confidential information. Also examined are how new password requirements for gaining access to the PeopleSoft application contribute to the security of passwords within the context of sophisticated trends to compromise them.
Today there are sophisticated programs used to crack encrypted passwords, and many of these programs include dictionaries in several languages. Another current trend is what those in the security industry call "Phishing" (pronounced "fishing") attacks. In a phishing attack, a large number of people are sent a fraudulent email requesting that their NetID and their password (or other private data) be sent in reply or provided by clicking on a URL in the email. The email itself is usually accompanied by a threat that the email account will be disabled if a reply is not received. Times have changed from the scenario presented at the start of this article, and security practices also need to change in order to keep pace with those who would exploit them.
One example at Queen's where security has increased is in the setting of passwords to access the PeopleSoft application. All individuals at Queen's who have access to the PeopleSoft application are required to change their NetID password to meet increased security requirements before gaining access to PeopleSoft. These requirements are:
How do the increased password length, type of characters, frequency of password change, and the restricted use of the same password all contribute to improve security of access to accounts?
In simple terms, consider the requirement for a 10 character password using only lower case letters of the English alphabet selected at random. There are 26 letters in the alphabet. How strong a password would you have?
First, there are 26 possibilities for the selection of first letter of a password, another 26 for the second letter, and so on up to the tenth letter. Thus, the number of possibilities is 26 to the power of 10 (or 26 to the 10th power), or:
26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 = 141,167,095,653,376
While this seems to be a very large number, a 10-character password using only lower case letters would not be very strong against a dictionary password attack using a sophisticated program on the faster computers we have today. If you consider that many of the passwords may be English words and names (to remember them easier!), such passwords can be compromised in less than 10 seconds! However, the number of possibilities increases further if you include randomly placed upper case letters, numbers and symbols.
According to Queen's ITServices Security Manager George Farah, "Hackers are able to break a four-letter password in about 5 seconds today. The technology used to break a password is evolving and becoming more sophisticated." So, how do you increase password strength? "Use a password phrase with letters, numbers and a symbol like ! or # and to make it easy to remember, use phrases you will remember," states Mr. Farah.
Passwords created this way are not names or English words in a dictionary. Notice that the strength of such passwords is not in keeping secret that you are using letters, numbers and symbols, but that the number of possibilities is too large for someone (a hacker) to contend with by guessing. In addition, the number of possibilities is substantially increased so as to resist brute force methods, such as a dictionary password attack, especially if the letters are random and do not form actual words in any language. However, creating such passwords requires one to take the time to "think" about a pass phrase that is meaningful, and then use the first, or only the second letter, of each word of the pass phrase as the password, with a random uppercase letter, numbers and symbols. For tips on creating these stronger passwords, please read the article Choosing a Strong Password.
The second requirement of changing your password every 45 days also increases security, but in a slightly different way. The goal of changing a password regularly is to ensure that your password is not valid by the time it is guessed or obtained by a breaking program and to prevent the success of phishing attacks, especially for those who have fallen victim and responded to emails requesting their passwords.
The third requirement, that the same password cannot be used again for at least 5 change cycles, which is every 45 days, ensures that if the account password has been compromised, the same password will not be valid for at least 5 x 45 = 225 days or 7 and half months.
"Establishing sufficient password length and password character diversity, while simultaneously ensuring that passwords are changed frequently and not repeated, are essential in order to accomplish the goal of creating 'properly chosen' and 'adequately defended' passwords today," states Mr. Farah.
Anyone who is not required to meet these new password requirements because they do need to use the PeopleSoft web application would do well to seriously consider adopting these same practices for their campus email accounts and any other access as recommended on the ITServices security website at:
NetID Change Password:
Golden Rules to Safe Computing on Campushttp://www.queensu.ca/its/security/EducationAndAwareness/GoldenRules.html
Copyright Queen's University
Kingston, Ontario, Canada K7L 3N6 613.533.2000