« Boot Camper laying down migration steps | Main | Who's got our history, and our future? »

August 06, 2014

Password advice for migrating managers

PasswordsStolenMore than a billion password-ID combos were stolen by a Russian gang, according to a report from a cybersecurity company. Mission-critical, revenue-centric passwords are probably the ripest targets.

Once you're making a migration of mission-critical systems from MPE to more-exposed servers, passwords will become a more intense study for you. Windows-based servers are the most exposed targets, so a migrated manager needs to know how to create high-caliber passwords and protect them. Given the headlines in current news, today's probably the day when you'll get more questions about how safe your systems are -- especially in the coming era of cloud computing. Here's some answers from our security expert Steve Hardwick.

By Steve Hardwick, CISSP
Oxygen Finance

Everything needs a password to access it. One of the side effects of the cloud is the need to be able to separate information from the various users that access a centrally located service. In the case where I have data on my laptop or desktop, I can create one single password that controls access to all of the apps that reside on the drive, plus all of the associated data. There is a one to one physical relationship between the owner and the physical machine that hosts the information. This allows a simpler mechanism to validate the user. 

In the cloud world it is not as easy. There is no longer a physical relationship with the user. In fact, a user may be accessing several different physical locations when running applications or accessing information. This has lead to a dramatic increase in the number of passwords and authentication methods that are in use. 

I just did a count of my usernames and passwords and I have 37 different accounts (most with unique usernames and password). Plus, there are several sites where I use the same usernames and password combinations. You may ask why are some unique and why are some shared. The answer is based on the risk of a username or password be compromised. If I consider an account to have a high value, high degree of loss/impact if hacked, then it gets a unique username or password. Let's look at email accounts as a good example.

I have a unique username and password for my five email accounts. However, I do have one email account that is reserved solely for providing a username for other types of access. When I go to a site that requires an email address to set up an account, that is the one I use. Plus I am not always selecting a unique password. The assumption is that if that username and password is stolen, then the other places it can be used are only website accounts of low value. I also have a second email account that I use to set up more sensitive assess, Google Drive, for example. This allows me to limit the damage if one of the accounts is compromised and not end up with a daisy chain of hacked accounts.

So how do you go about generating a bunch of passwords? One easy way is to go into your favorite search engine and type in password generator. You will get a fairly good list of applications that you can use to generate medium to strong passwords. When I used to teach security this was one trick I would share with my students. Write a list of 4 or 5 short words that are easy to remember. Since my first name is Steve we can use that. Add to this password a short number (4-5 digits in length),1999 for example. Now pick a word and number combination and intersperse the numbers and letters S1t9e9v9e would be the result of Steve and 1999.

Longer words and longer numbers make strong passwords -- phone numbers and last names works well. With 5 words and 5 numbers you get 25 passwords. One nice benefit of this approach comes when you need to change your password. Write the number backwards, and merge the word and data back together.

Next challenge: how to remember them all. Some of the passwords I use I tend to remember due to repetitive use. Logging into my system is one I tend to remember, even through it is 11 characters long. But many of my passwords I use infrequently, my router for example, and many have the “remember me” function when I log on. What happens when I want to recall one of these? Well the first thing is not to write them down unless you absolutely have to. You would be amazed how many times I have seen someone’s password taped on the underside of their laptop. A better option is to store them on your machine. How do you do that securely? Well there are several ways.

One easy way is to use a password vault or password manager. This creates a single encrypted file that you can access with a single username and password. Username and password combinations can then be entered into the password vault application together with their corresponding account. The big advantage is that it is now easy to retrieve the access data with one username and password. The one flaw is: what happens if the drive crashes that contains the vault application and data? If you use an encrypted vault, then you can place the resulting file on a cloud drive. This solved the machine dependency and has the added advatage that the password is generally available to multiple machines. If you want to get started with a password vault application, here is a good article that compares some leading products.

Another option is to roll your own. Create a text file and enter all of your account/username/password combinations. Once you are done, obtain some encryption technology. There are open source products, truecrypt is the leader, or you can use the encryption built into your OS. The advantage of using open source is that it runs on multiple OS. Encrypt the text file using your software. Caution: do not use the default file name the application gives you as it will be based on your text file name. 

Once you have created your encrypted file from the text file, open the text file again. Select all the text in the file and delete it. Then copy a large block of text into the file and save it (more then you had with the passwords). Then delete the file. This will make sure that the text file cannot easily be recovered. If you know how to securely delete the file do that instead. Now you can remotely store the encrypted password file in a remote location, cloud storage, another computer, USB drive etc. You will then have a copy of your password file you can recover should you lose access to the one on your main machine.

Now, if you do not want to use encryption, then there is a very geeky option. But why wouldn’t you use encryption? Most programs use specific file extensions for their encrypted file. When auditing, the first thing I would look for is files with encryption extensions. I would then look for any files that were similar in size or name to see if I could find out the source. This included looking through the deleted file history.

The other option is steganography, or stego for short. The simple explanation is the ability to bury information into other data - for example pictures. Rather than give a detailed description of the technology here, take a look at its Wikipedia page   There is also a page with some tools on it. For a long time, my work laptop had a screen saver that contained all my passwords. I am thinking of putting a picture up on Facebook next.

So here are a few simple rules on handling multiple passwords:

1) Try and use uniques usernames and password for sensitive account. You can use the same username password combination for low sensitive accounts.

2) Run through an exercise and ask yourself, what happens if this account is hacked. i.e don't use the same username and password for everything.

3) Do NOT write down your passwords to store them, unless you have a very secure place to store the document e.g. a safe.

4) Make sure you have a secure back-up copy of your passwords, use encryption or steganography.

05:55 PM in Migration, Newsmakers | Permalink

Bookmark and Share

No more trying to figure out what runs on
MPE/iX or where to find it. No more worrying
about availability! www.MPE-OpenSource.org
is all things MPE/iX: Open Source packages,
freeware, scripting, plus loads of tools
and information to keep your 3000 system
alive and thriving!

Comments

Comments

The comments to this entry are closed.