P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
PASSWORDSECURITYISSUES ANDEFFECTIVEMANAGEMENT 7Many organizations supplement password control pro-
grams with procedural or administrative controls that en-
sure that passwords are changed regularly and that old
passwords are not reused. If password aging is used, the
system should give users a warning and the opportunity
to change their passwords before they expire. In addition,
administrators should set account lockout policies, which
lock out a user after a number of unsuccessful login at-
tempts, and cause him or her to have his password reset.
Microsoft Windows 2000 and Windows XP include
built-in password constraint options in the “Group Policy”
settings. An administrator can configure the network so
that user passwords must have a minimum length, a min-
imum and maximum age, and other constraints. It is im-
portant to require a minimum age on a password.
The following outlines the minimal criteria for select-
ing “strong” passwords.Guidelines for Selecting a Good Password
The goal is to select something easily remembered but not
easily guessed.Length
Windows systems: seven characters or longer
Unix, Linux systems: eight characters or longerComposition
Mixture of alphabetic, numeric, and special characters
(e.g., #, @, or !)
Mixture of upper and lower case characters
No words found in a dictionary
No personal information about the user (e.g., any part of
the user’s name, a family member’s name, or the user;s
date of birth, Social Security number, phone number,
license plate number, etc.)
No information that is easily obtained about the user, es-
pecially any part of the user ID
No commonly used proper names such as local sports
teams or celebrities
No patterns such as 12345, sssss, or qwerty
Try misspelling or abbreviating a word that has some
meaning to the user (Example: “How to select a good
password?” becomes “H2sagP?”)Password Aging and Reuse
To limit the usefulness of passwords that might have been
compromised, it is suggested practice to change them reg-
ularly. Many systems force users to change their pass-
words when they log in for the first time, and again if they
have not changed their passwords for an extended period
(say, 90 days). In addition, users should not reuse old pass-
words. Some systems support this by recording the old
passwords, ensuring that users cannot change their pass-
words back to previously used values, and ensuring that
the users’ new passwords are significantly different from
their previous passwords. Such systems usually have a fi-
nite memory, say the past 10 passwords, and users can
circumvent the password filtering controls by changing
a password 10 times in a row until it is the same as the
previously used password.It is recommended that, at a predetermined period of
time prior to the expiration of a password’s lifetime, the
user ID it is associated with be notified by the system as
having an “expired” password. A user who logs in with
an ID having an expired password should be required to
change the password for that user ID before further access
to the system is permitted. If a password is not changed
before the end of its maximum lifetime, it is recommended
that the user ID it is associated with be identified by the
system as “locked.” No login should be permitted to a
locked user ID, but the system administrator should be
able to unlock the user ID by changing the password for
that user ID. After a password has been changed, the life-
time period for the password should be reset to the max-
imum value established by the system.Social Engineering
With all the advances in technology, the oldest way to at-
tack a password-based security system is still the easi-
est: coercion, bribery, or trickery against the users of the
system. Social engineering is an attack against people,
rather than machines. It is an outsider’s use of psycho-
logical tricks on legitimate users of a computer system,
usually to gain the information (e.g., user IDs and pass-
words) needed to access a system. The notorious “hacker”
Kevin Mitnick, who was convicted on charges of computer
and wire fraud and spent 59 months in federal prison, told
a Congressional panel that he rarely used technology to
gain information and used social engineering almost ex-
clusively (Federation of American Scientists, n.d.).
According to a study by British psychologists, people
often base their passwords on something obvious and eas-
ily guessed by a social engineer. Around 50% of computer
users base them on the name of a family member, a part-
ner, or a pet. Another 30% use a pop idol or sporting hero.
Another 10% of users pick passwords that reflect some
kind of fantasy, often containing some sexual reference.
The study showed that only 10% use cryptic combinations
that follow all the rules of “tough” passwords (Brown,
2002).
The best countermeasures to social engineering attacks
are education and awareness. Users should be instructed
never to tell anyone their passwords. Doing so destroys
accountability, and a system administrator should never
need to know it either. Also, users should never write down
their passwords. A clever social engineer will find it if it is
“hidden” under a mouse pad or inside a desk drawer.Some Examples of Social Engineering Attacks
“Appeal to Authority” Attack.This is impersonating an
authority figure or else identifying a key individual as a
supposed acquaintance, in order to demand information.
For example: A secretary receives a phone call from some-
one claiming to be the “IT Manager.” He requests her user
ID and password, or gives her a value to set her password
to immediately because “there has been a server crash in
the computer center and we need to reset everyone’s ac-
count.” Once she has complied, he now has access to a
valid user ID and password to access the system.“Fake Web Site” Attack.The same password should not
be used for multiple applications. Once a frequently used