In May, the National Security Agency (yes, that one) published a guide in PDF form (818KB PDF file) called "The 60 Minute Network Security Guide - First Steps Towards a Secure Network Environment."

It's good stuff. Sure, it's not a 100% guide to everything you need to know and do, but it covers the bases quite well. Some have balked at the complex password and rotation requirements and made the requisite "that won't work in the real world" noise, but those of us who actually do operate in the real world know it can be done and that 90 days is a bad number (it's too long IMO, and lacks usability - it should be either 84 or 42 days). Sure, a few people will complain (it's human nature and it takes all kinds), but the vast majority are more than happy to do their part. Don't let the vocal few chase you away from what is proven over and over to be right.

There are always good and effective ways to accomplish goal while meeting requirements: For example, the use of passphrases instead of regular passwords makes complex, long passwords a cinch, and all it takes is about 5 minutes of user education to show people how well it can work (use your all-hands meetings and you'll be amazed what you'll get accomplished in a short period).

Read the guide, use it, and you'll be better off. A variety of other security configuration guides from the NSA can be found here. There are more than 80 guides covering server and client operating systems, network infrastructure, database platforms, and more.

(via lifehacker.com)

More and more as time goes on I am asked about how to securely configure and use computing systems, whether they be Internet sites, online financial services, wireless networks, home and business computers, physical homes and businesses, or what have you. Since my role in that area has not changed too much, I have to assume the uptick in questions comes as a result of a desire by people to get more secure, which is a good thing.

Someone named Jim wrote me the other day and asked about my philosophy on passwords. I get this specific question often enough, I thought I would write about it here:

Hi Greg,
I posted a question on the PCWorld forum and your name came up regarding my question.  My issue was regarding passwords.  I am a Realtor and our main access to the MLS is starting to require password changes monthly.  This is not that difficult but along with all the other passwords I have to use each day it is getting to be a bit of a headache and I think it's time that I get my act together once and for all and get passwords under control.  I asked for opinions on software and also philosophy.  I'd like to hear your opinion.  Thanks and I'm looking forward to reading your response.

Preamble

My name is Greg, and I am an IT and security professional. It's been more than six months since I last created a traditional password. They say it's a disease, and so I am here to share my experience, strength and hope so that you, too might recover from the ravages of insecure computing and inadequate safeguarding of information.

Or something like that. Ok, now let's get serious. I'll share what I do as well as one computer program that I have found can help.

Philosophy

My password philosophy varies based on the system in question, to be perfectly honest. I use passphrases as much as possible, meaning passwords in the form of natural sentences or phrases including things like spaces, normal capitalization and punctuation. That makes them easy to remember, yet tends to keep them complex enough to meet stringent security requirements.

As a general rule, passwords or passphrases should be at least 8 characters in length, preferably longer (I tend to go with 13 or more characters, and you're going to see how easy that can be in a minute). They should also always include at least three of the following four characteristics:

• Upper-case alpha characters (A-Z)
• Lower-case alpha characters (a-z)
• Numeric characters (0-9)
• Punctuation or other special characters (!@#$%&(*?>< etc.)

In addition, the rotation period for expiring passwords in a secure environment should be no less than every 60 days, and preferably less. Using too frequent of a rotation tends to result in self-defeating problems with the whole process: People who have to change their passwords every 15 or 30 days, for example, have a tendency to write them down and stick them in their wallets, or to use less-than-secure passwords. That's bad.

Another common problem is passwords expiring at inopportune times. I expire passwords in intervals of 7 days. Why? Simple - If you set passwords to expire say every 42 days, someone whose password expires on a Monday will always expire on a Monday, which avoids the problems of expirations falling on weekends or other difficulty days.

I think you'll find that most experts will agree with the above recommendations.

Maintaining passwords and passphrases securely - helpful software

Switching gears to management and storage of multiple passwords for various systems, one simple rule that should be obvious is often set aside, but should always be followed: Do not use the same password in multiple places or systems unless the system is built to support doing so for you. Great, you think... How am I supposed to manage that many passwords, especially if I am always moving around and use more than one computer, or if I use a laptop? Well there are several tools and methodologies that can help.

RoboForm is a software passkey management program that's grown up quite a bit over the past few years. It not only secures and stores passwords, it even fills out logon forms for you. Last year they created and started testing a version that installs on a USB key called RoboForm Portable, or Pass2Go. It's surprisingly not well-known, but it works pretty well. Your passwords are secured on a USB key with Triple-DES encryption. So for most all purposes (maybe not national security secrets, but hey you know what I mean) it's quite secure, and you can install it right on the USB key/drive and run it from there (you can even put the portable version of Firefox on there if you want and tie them together). Using the USB drive to run the RoboForm Portable program means nothing has to be installed on the client computer. If you lose it, it's encrypted and locked with your master password. Note, too, that there are RoboForm add-on's not just for USB keys, but also for Palm and Windows Mobile devices. So you get to choose, and all of the beat the proverbial Post-It note for security and convenience.

But none of that matters if you can't solve the real problem

But the real problem with passwords is that people forget them all the time, so they do things like use the same password everywhere, or they write them down somewhere and don't secure them, not to mention the fact they can't remember them. You end up with either an insecure system or a help desk that's dying just trying to unlock accounts and administratively change passwords. That's no good.

The fact of the matter is that the simplest way to remember passwords is to use ones that you can naturally relate to. Just as important, they need to be complex and secret enough to be sufficiently secure. This can be done. For example, I have a cat named Cleo. So, I might think about using passwords and passphrases like:

Cle0IsMyKat!
Cleo is my Cat!
cleoizmykittykat
Cleo get off the freaking furniture darnit!

You get the idea. Now, since these passwords and passphrases are often set to expire frequently and I don't want to forget them, I always try to think seasonally - incorporating things that are happening in my life at the time. When creating a new passphrase, I don't ask myself "What can I type that I will remember in ten minutes?" Instead, I think "What's happening in my life between now and the end of next month?" For example, if I had to create or change a passphrase or password right now, I might do something like:

Fireworks on July 4th are so cool...
Woah dude like check out the freakin fireworks dude!
FireworksOnJuly4thAreSoCool...
Woahdudethosefirew0rkzaresokool*
Pow bang boom! Oh wow did you see that?

Of course, I won't actually use anything like those, now that I have posted them here (hey trust me - people have done much stupider things). But by making a passphrase meaningful during it's lifetime, I can remember it quite easily (Well, usually anyhow - it can take a little getting used to). By the time the next password-change rotation comes around, I'll just think of something else I can remind myself of for the next 30 or 45 days.

You're probably starting to get the idea of how passphrases work from the examples, and it's also probably becoming clear that I am a proponent of them. They're easy to remember and - this is important - easier to type than munged up words where you replace letters with numbers and convert everything to hacker-speak. They are also quite long and more complex. And more complex means more difficult to guess or randomly replicate, which means more secure. And on top of that, you can actually remember and accurately type it. Not a bad deal, really.

There's no perect answer - some unthinking person with no concern for security will throw in a wrench

Note that not all systems where you can create passwords will let you use spaces in the password field, and some will even limit how many characters you can use.** So, sometimes you have to adjust the way you create your passwords and passphrases to work within arbitrary limits set by arbitrary (non-security-oriented) decision makers.

** Note to security departments everywhere: Get more involved in the app and interface design phases. Just because a DBA somewhere says my online banking password needs to be truncated at 8 characters to save disk drive space doesn't mean they're right. Security reviews need to happen at design time, and then as a part of every step along the way.

By the way, to go off on a bit of a tangent - Jim's original question illustrates exactly why a well-secured and well-designed unified authentication systems can be so valuable, where it makes sense. For consumers, that means something akin to Passport or one of the unified authentication systems out there. In a business computing environment it more often means using something like a Windows domain or Novell directory to have a single set of credentials that you can protect, but which will allow you to access multiple systems. To provide additional security, you don't necessarily want to break an authentication system up and require multiple passwords, because then you're defeating the whole purpose of the unified system. Instead, you might start adding additional factors of authentication to those specific systems where you need extra authentication or authorization protection (RSA SecureID is one great example of how to add another strong factor of strong authentication in an environment where security is very closely managed).

But Dr. Johansson's the one who's really got it covered...

For more information in the philosophy department, I'd point you at Jesper M. Johansson's work on passwords vs. passphrases:

The Great Debate: Pass Phrases vs. Passwords

• Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

I've rambled a bit, but I hope that helps. I have a lot more to write on the subject of authentication security, but that will have to wait for another time.

There's slashdot conversation taking place about using and enforcing cryptographically strong passwords (it's all about passphrases, people, passphrases - read my experiences here). In that thread, someone linked to an old and quite perfect social engineering example that I had not seen in a while. In my field I see and hear some of the funniest (or rather scariest) stories about situations like this.

From an IRC chatroom:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Pretty darn funny - unless it's you.

Of course, much of the /. conversation has evolved into the requisite noise and talk about how the original question is a moot point because passwords are dead, etc etc etc blah blah blah shashdotadnauseum...

And, since we need something useful to go with the something-funny/scary, here's some information worth reading about how to make it possible for users to remember and use cryptographically strong authentication without having to resort to post-it's and .txt files on the computer:

The Great Debate: Pass Phrases vs. Passwords

• Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

I recently started using passphrases instead of passwords for my various computer accounts. So far I have found only one place where it just doesn't work.

I'm calling it a success so far.

Using something akin to natural English - complete with with spaces, punctuation and natural capitalization - makes passphrases very easy to remember and (despite their longer length) often easier to type than convoluted "strong" passwords.

But something funny happened to me on the way to my computer the other day, when I was playing with test passphrases in preparation for making the Big Change. I've discovered that passphrases may tell more about the person using them than one might realize.

Let's say, for example, I choose a passphrase (and this is very hypothetical) like:

How the heck did you do that Dude?

It's easy to type because it's just a sentence, easy to remember because it's conversational, secure because it's long and complex. Obviously, moving away from a simple plain-language phrase like the example above can be strengthened further by throwing in non-natural characters, phrase structure, etc., just like with passwords.

But I digress... In my hypothetical example passphrase above, what do you imagine would cause me to keep typing the passphrase incorrectly?

As it turns out, there's a tendency to think not about the exact wording, but instead about what the phrase communicates. So, in the above example there are two words I might keep screwing up.

The first problematic word is "that." The tendency here is to type "this" instead of "that," as in "How the heck did you do this Dude?" or "This is a really cool thing you're doing." Natural human speech tendency.

The second problematic word is a little more colorful (and Freudian) in its psychological adaptation. Take the word "heck" and figure out how many similar words a person might use. Depending on mood (which seems to be a real factor affecting outcome in my case, heheh), the person typing the passphrase might type "hell" in place of "heck." It has the same two first letters, and so it's a natural tendency. But take the word "heck," apply some life or personal stress, and then take a look at the last two letters of the word, and I'll leave it up to you to come up with another four-word replacement that shares those last two characters, and also fits into the passphrase (conversationally and in a rude kind of way).

You get the idea. Anyhow, I only locked myself out of that test account once.

Freud would probably be proud. But hey, that figures - he was a drug addict and a freak.

The other day I decided to change to using passphrases instead of single passwords on my Windows accounts. Aside from the minor headache of having to remember I made the change at all, it's been a good thing.

That is, until today.

This afternoon I decided re-enable my wireless sync with my Exchange server on my Windows Mobile 2003 smart phone (Audiovox 5600). I had disabled it when I changed the password the other day, with plans to set it back up when I had time. So I went to enter the new passphrase on the mobile device, but no workie... Apparently, while Windows and Outlook and Exchange-HTTPS and pretty much everything else in the Windows world supports passphrases that include spaces, not so on Windows Mobile 2003.

Apparently you simply can't enter spaces in the password box on the smart phone.

So, I have a choice to make: I can either change back to using passwords in order to allow my Windows Mobile device to sync with Exchange (one step forward, two steps back), or I can stay with passphrases and leave my Windows Mobile device crippled (don't even get me started on that one).

Needless to say, I am not very happy with either option...

Anyone have a solution? Am I missing something here? Seems to me when you create a password interface, you'd support what the back end system allows you to use?

I had to change one of my passwords today (good security practices and all that), and with the recent discussions around the 'net concerning using passphrases in place of passwords, I decided to go full tilt and start using passphrases on this account rather than passwords.

One of the great things about passphrases is that they can be quite long and secure, yet easy to type and remember. For example, I could use either of these as a secure passphrase that more than meets all the security requirements of a Windows standard password-complexity template:

Is this my nifty-difty passphrase?

   - or -

Wow yo thats a really cool Red Radio you have there!

Of course, I could also be more paranoid (and in real life I am) by using something like "Is this my nyftie-dyftie passphraze?" but even with the standard dictionary words, the combination of having to determine the number of words, case, punctuation, order and spacing is a pretty darn complicated task. For more information about effectiveness of passphrases and their complexity, read what Jesper Johanssen wrote on the topic.

I can included spaces and everything - they're part of the passphrase, and the fact that I am using dictionary words works in the case of a passphrase, where they don't really pass muster when using 8-character-minimum passwords.

Passphrases use multiple words or variations, can be out of place and odd, easy to remember and easy to type quickly. The only problem I have had since changing to my new passphrase is remembering that I changed my password at all - I keep typing the old one... It's like writing "2004" on checks, I guess... This, too, shall pass.

Anyhow, I can type my passphrase accurately every single time, very quickly and reliably, so I am happy with that. If I choose a phrase that means something to me at the time, it will be easy to work with until I have to change it again in several weeks. I think it's a good thing - all in all better from a user standpoint than convoluted and hard-to-type passwords.

More on passwords vs. passphrases can be found here. Also, Susan Bradley, who blogs about Small Business Server quite a bit, has some thoughts on the subject and some policy configuration information (via Adam Field).

Jesper M. Johansson, Ph.D., ISSAP, CISSP is a Security Program Manager at Microsoft. The second part of his three-part article on the use of passwords vs. passphrases was recently published.

The Great Debates: Pass Phrases vs. Passwords

• Part One - coveres the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

In this installment, he looks at three arguments for the use of pass-phrases:

• Claim 1: Users Can Remember Pass Phrases
• Claim 2: Longer is Stronger
• Claim 3: Pass Phrases Can Have More Randomness

This is a great read, worth the time for anyone who works in the security field or in IT operations and security. I am looking forward to the third installment, as well. Jesper has a powerful way of cutting to the heart of the arguments and coming out the other end of the conversation with good facts in tow.