Passwords in Enterprise settings

You are presented a login prompt, asking for a username, you enter your username and are presented with the password prompt, you type your minimum 1 uppercase, 1 number , 1 special character and hit enter when you are at somewhere between 8 and 16 characters in length.

You have this password chosen because you remember it and as it rhymes with the password policy in place.

Imagine close to 90 machines, isolated little islands, where each password change timer has been started the first login or latest occasion you changed password, where these close to 90 machines are provided by different vendors, with different password policies, which have not been presented to you and each and every time you are forced to change password have to come up with a new long and easy to remember password with upper case, lower case, numbers and special characters .. and fail against the password policy.

Last time, on my sixth (6th) generation of passwords, where 2017&RedFireTruck was too simple or too short, I pretty much lost it. 17 characters, mixed upper and lower case and special character .. that is according to GRC: Password Haystacks, a search space of 4,225,684,238,917,218,534,300,824,429,126,495 combinations to brute force.

I emailed the vendors and asked for a description of their password policies and why I had to rotate passwords every 60 or 90 days and why authentication where not federated with LDAP to simplify authentication. No answer. None what so ever.

This is situation that CREATES bad security; long very complex passwords you need to change often, post-it notes with passwords are unfortunately common in offices and defeats it purpose of being secure.

As this article from Naked Security: NIST’s new password rules – what you need to know where NIST’s report has been summarized, condensed into human readable form, with good advice about how to achieve good password hygiene.

My personal belief is that passwords should be long and complex to a certain degree, where you either by muscle memory or by heart can remember your password without much thought, password changed should forced if suspecting breaches or leaks – a good password is a good password until broken, not by some administrators 40 to 90 day cycle. Check the above link to GRC as there is a strength-meter where you can test a similar to what you would use as a password – you should not test real “production” passwords as they could leak or sniffed by browser extensions.

The future is 2FA or MFA, Two-factor authentication or Multi-factor authentication. Either keyfob or Authenticator-applications on smartphones, SMS is dead.
Keyfobs spit out (usually) 6 digits on a small display, which you have to type in before they change, Authentication-applications work similarly but can also present you a notification dialog where you chose “Approve” or “Deny”, there is several flavors and the ones I have tested is Google Authenticator, Azure Authenticator, LastPass Authenticator and DUO Authenticator – all of them work similarly and requires a little bit of set up, but when you are done authentication is a breeze.

SMS-codes are dead. Even if sent as Flash-SMS (the ones that show up without the need to open app to read them) there is still a built-in TTL of 72 hours for delivery, within mobile networks there is actually NO real guarantee that the message will be received within these 72 hours. Also, since SS7 gateways has been found on the internet with no authentication, where messages can be read or redirected with little effort, there is no way of telling if bad guys are getting SMSs. SMS are sent in clear text, unencrypted and have no tamper-checks.

I’d like to see a wider adoption of Yubi-keys or similar, small hardware USB-dongles that emulates keyboards that can work in several modes depending of configuration, either spit out the same string over and over when you push the little button, or it can spit out a OTP, one-time-password on button-press.

To implement any of these methods on Linux-machines, there is PAM-modules available already. For Wintendo-machines I’m not so sure, but there is most probably implementations available as well.

Vendors seems to be out of touch with current information and methods. Or do not have means to implement changes until something really bad happens, like a breach or leak, but then it’s too late, the damage is already done and intruders might have gained footholds in the infrastructure. In such a case, all machines would need to be re-installed from scratch, from known verified physical installation media. Even that might be too late, there is usually updatable firmware in many parts and components of a computer, where (theoretically) malware could be hidden. A catastrophe waiting to happen.

Out of rage, when not being able to use the new fairly complex password to change password, I padded it with YourMomSucksDonkeyBalls and it didn’t complain when my new password had the length of about 40 characters or more.

I work with Enterprise customers and their business critical systems, I have several times attempted to get some information about each vendors password policy but they have never been able to present it to me, either they do not have them written down, only the admins know or it is for some reason secret.