Password-by-number

THE YEAR OF PKI (public key infrastructure) has come and gone. Smartcards and biometrics have not caught on as anticipated. So, after all the hype, discussion, and technological advances, passwords are still the main method of authentication.

At a minimum, many users have passwords for network logon, e-mail, third-party applications, Intranet access, and remote access. Outside of work there are a multitude of Web site passwords for online banking, brokerages, health care, 401K accounts, and personal e-mail. Administrators have the heaviest burden — swamped with powerful passwords from a variety of systems, including Windows domain admin, Unix/Linux root accounts, and “enable secret” on Cisco gear.

If all of these accounts follow password best practices — which usually means a unique password at least seven characters long combining upper and lowercase letters, numbers, and special characters — how do you remember them all without writing them down? The most likely answer is: You don’t. Many people use the same password for all accounts and just create a minor variation when forced to change their password, such as changing a number in the password by an increment of one.

What about those administrators? The passwords they control are the keys to the kingdom, so what protections should be taken? The ultimate goal here is to select strong passwords that cannot be easily guessed or cracked, but can still be remembered by the administrator after a month or more of nonuse.

Reaching this goal is a lot harder than it sounds. One common approach is keeping a record of administrator passwords in a PGP-encrypted file. This way, the administrator passwords can be very complex but the administrator only needs to remember a single passphrase to access the encrypted file.

Another common method is to use a PDA to store administrator passwords. There are many applications to encrypt data on a Palm or Pocket PC device, such as Developer One’s CodeWallet Pro or Certicom’s movianCrypt. As with the PGP scenario, a passphrase is required for data access.

One of the best solutions I have seen is storing encrypted password data on a token, such as Rainbow Technologies’ iKey or Dallas Semiconductor’s iButton, which also need a separate passphrase to access the data. Some companies have even gone as far as developing their own secured database for password storage.

But all of these solutions still have one problem: They keep all the passwords in one place, so security must be very tight. The passphrase used to access the encrypted data must be very strong, not easy to guess, and resist fast cracking by a brute force attack. If you want to get really tricky, you can also break the encryption key into pieces and require several people to be present to decrypt the “password” file, similar to how root CA keys are protected.

Dealing with passwords is an ongoing battle. How does your organization approach this issue?