August 08, 2012
HP's advice on passwords: Got C, but no IA
As 3000 users move out of their protected and obscure MPE/iX, they encounter more virulent environmental waters. Never mind the malware and spyware aimed at Windows and Macs. (Yes, Apple systems are targets, although few have been hacked en masse). This weekend's big story from popular blogger Mat Honan revealed he got his Gmail swiped, his Mac and iPad wiped remotely, his Twitter account heisted, and his iPhone hijacked. All in a matter of minutes because one password, off the new Apple iCloud, was stolen.
This kind of perfect storm happened because the blogger had plenty of computing systems protected by a single password. By coincidence of course, HP released an the HP Technology at Work IT business eNewsletter that suggests some good password practices. But it starts out with bad advice.
"Try putting your hands on the keyboard and just typing randomly -- a gibberish password can be very secure." This sort of consumer-grade instruction bypasses two of the three security requirements for passwords in the industry.
"There is an acronym in the security world: CIA," says Steve Hardwick, a CISSP pro whose current mission is security for the pre-payment systems at Oxygen Financial. "That's Confidentiality, Integrity, Availability. So the HP advice is true on one count, but not all of them. This is a very common security mistake."Hardwick, who's also worked security for Dell's Global Systems as part of a 30-year career in IT, says that making up a password out of nonsense works well only the first time you use it: when you apply it to an account which you secure.
"The HP advice addresses Confidentiality only," he says. "Other people would have difficulty guessing this password. However, it is very weak from an Integrity perspective, as it would be difficult to type in reliably without a reference by writing it down. Plus, it would be weak from an Availability perspective, as it would be very easy to forget without a reference -- again, which would require writing it down."
You could always enter the gibberish in an encrypted file, instead of a post-it note on your monitor. But un-encypting a file every time you forgot a gibberish password adds a lot of time to a workday. And to be clear, that Apple blogger had his password cracked after a hacker talked an Apple support staffer into revealing the password. As Bruce Hobbs, who's consulted and worked in 3000 shops for more than 25 years said, "This reminds me of some of the stories that Vladimir [Volokh] and Bruce Schneier tell: the core 'problem' is almost always people."
HP's got far better security options than gibberish passwords, but they'll cost an enterprise customer a lot more than a click on a eNewsletter. Its Enterprise Cloud Security (ECS) products for securing clouds -- such as Apple's iCloud -- include ECS-Continuity. HP says that service includes two-factor authenticated access to priviledged user accounts, along with NIDS/NIPS, firewall and VPN monitoring, OS hardening, physical data center security and SIEM monitoring.
The HP 3000 managers we've interviewed about cloud computing cite security as the top reason they're putting the cloud on a long simmer for migration plans. As for those passwords, Hardwick came up with a better strategy to create a password you're likely to remember.
Pick a number you know well from back in your history. Then devise a word that's not a word, like "mobolanium." Then alternate each letter and numeral to create a password. You may get something like "m9o7b5o3l2a1n4i6u5m" It might not be everything that ECS Continuity offers in its two-factor passworld access schemes. But it's got CIA. However like the other CIA, if you tell it you'll have to kill someone -- or at least a system.
Use our search engine to find 20 years
of HP 3000 news and articles
The comments to this entry are closed.