Home  | About PassGo
Contact

Press Enquiries
Phone +44 (0) 1460 258300
Fax +44 (0) 1460 258403
E-mail
PASSGO MEDIA RELATIONS

Newsletter Subscription
Subscribe to the PassGo Newsletter
Home | About PassGo | Press Center | Simple Security is Effective Security

Simple Security is Effective Security

Today’s Threats

Keeping corporate information safe is a tough problem. Threats to thesecurity of our digital assets are virtually limitless, and in reality we can only hope to reduce the likelihood of the threats that are most relevant to us.

So what threats should concern us?

Featuring in the SANS top ten vulnerabilities one of the most commonly-exploited weaknesses is the badly-chosen password. A system with weak password policies is easy pickings for an attacker; CERT estimates that 80% of all network security problems are caused by bad passwords.

 
Dan King-Britton CISSP
Dan King-Britton CISSP
PassGo Technologies

Password Strength

The solution would seem straightforward enough: make sure our users choose passwords that are unlikely to be guessed easily—reject passwords shorter than a certain length; insist on a combination of letters, numbers and symbols; reject values containing two or more repeating characters; and force the passwords to be changed regularly.

By enforcing strict password rules we can make it very unlikely that an attacker will break in by guessing a password.

The Burden of Multiple Passwords

Unfortunately, by demanding complicated passwords, we also make it harder for our users to remember the passwords they’ve chosen. The problem is exacerbated by the fact that the average user, according to a recent SearchSecurity.com survey, must memorize not one, but upwards of six complex regularly-changing passwords; the temptation to write the passwords down is overwhelming.

It’s a long-held maxim that the security of any information system is only as strong as its weakest link. If a user writes his password on a sticky note, the effectiveness of the system’s authentication mechanism is immediately reduced to the visibility of that sticky note. In effect, our solution has backfired - we’ve actually made it harder for users to uphold the security of the system. Then there’s the cost of fielding the Helpdesk calls for users who have forgotten their passwords. According to Jim Hurley of the Aberdeen Group, labor costs for configuring and maintaining password systems for a large enterprise can rise up to $350 per user. For an organization of any size this can represent a significant additional cost.

There have been various approaches to the multiple password problem since it became an issue to big business in the 90’s.

Client-Server vs. Desktop Architectures

The client-server architecture enables administrators to centralize the control of enterprise password management. A user’s passwords and login scripts are held at the server, and these are sent to the client in response to an authenticated request. Client software then plays the credentials into the application login dialog via a customized script, and the user is logged on automatically to the application.

A notable and popular example of the client-server approach is Kerberos. Kerberos is a public protocol employed by Windows 2003 and most UNIX implementations. A client requests a ticket from a Kerberos server to access a particular application. The server responds with a ticket, which the client can then use to prove the user’s identity to the destination application or server. The legitimate user is granted access to the desired application without having to remember the application password, and without any passwords flowing in clear text across the network.

Other vendors offer a desktop solution. Typically, with this scheme, the system administrator would write or customize login scripts for each application and distribute them to their end-users. The client software would manage the various passwords belonging to the user, and run the script to play the credentials into the login dialog when an application is launched.

Password Management vs. Password Synchronization

Most attempts to address the problem have adopted the Password Management approach, where a user’s many passwords are held in safe storage and retrieved, as needed, during the application login process. Password Synchronization, on the other hand, gives similar functionality, without the need for client software. When one of the user’s passwords is changed, all the other passwords belonging to the user automatically change with it. Although the user is not logged on to his applications automatically, he only need remember a single, well-chosen password.

There are weaknesses with the password synchronization approach: it assumes that all systems have the same stringency in password quality – which is often not the case. Also, it reduces the effective security to that of the weakest system - once an attacker can crack a password by subverting the weakest point in the system, all systems to which the legitimate user had access are now accessible to the attacker, and the game’s over. This is known as the Keys to the Kingdom problem.

Despite these shortcomings, password synchronization has made for a popular and less-expensive alternative for those organizations with a consistent implementation of security policy across a network.

Simplicity of Design

The various attempts to solve the multiple password problem over the years have had success to varying degrees, but most have missed a fundamental point: that a secure system is one that is simple to manage and easy to use.

Many systems, for example, require system administrators to write scripts to automate login to each application. This is not a straightforward task, and one that is prone to error.

Client-Server systems in particular typically demand a high degree of administration, and don’t scale easily. Kerberos, for instance, addresses the multiple password problem well, and offers many other benefits such as secure transmission of passwords and host-host authentication mechanisms. But this functionality comes at a price: each application must be configured (Kerberized) to support the scheme, which may not necessarily be possible for all applications; also, to establish trust relationships between servers, clients and applications, a number of cryptographic keys must be generated and exchanged.

In general, the more complex a system is to configure, the harder it is to configure securely. Bundling host-to-host authentication, traffic encryption, complex scripting, two-factor user authentication, and single sign-on into a single package may look impressive, but it’s bad for security. The new age of Identity Management solutions needs to deliver manageability and ease-of-use, each component addressing a single problem with a single solution. In Schneier’s words, “Complexity is the worst enemy of security. A system is only as secure as the weakest link, so a system with fewer links is easier to secure. Complex systems are less secure than simple ones, guaranteed”.

PassGo Technologies offer a suite of next-generation, lightweight, easy-to-administer, scalable modules to tackle the multiple password problem:

Syncom

Uses password synchronization to propagate a user’s password changes across a range of platforms. Password changes are sent to a Syncom Plus server, which propagates the changes to a number of synchronization agents. The synchronization agents then execute the password changes locally. Syncom Plus Supports Windows, AIX, Solaris, Linux, HP, Oracle, Sybase, Lotus Domino, Netscape Directory Server, LDAP Directory Servers, Lotus Notes, and many other platforms and applications.

With separate components to manage the login and password change mechanisms in a Netware/Windows mixed environment, including synchronisation with z/OS user account.

SSO Plus

A Windows-based desktop module, which automatically captures passwords typed into an application, and plays the appropriate credentials back the next time the application is launched, using PassGo’s “window watcher” technology. It supports Windows applications and dialogs, including cross-domain authentication, Lotus Notes password authentication, console and command-line applications such as telnet and ftp, authentication to web portals and 3270 emulators. No administration or script-writing is required. Passwords are stored in encrypted form in the Local Security Authority (LSA) database.

Helpdesk Password Resync

The Web-based Helpdesk Password Resync module enables users to reset their Windows passwords. The user must have previously registered by answering a series of questions to which only he would know the answer. When the user forgets his password, he navigates to the Helpdesk Password Resync Web page, and answers a number of randomly chosen questions from his ‘question bank’. Having answered these correctly, the Windows password is reset, and the user can log into his Windows network as usual.

For further information on these and other offerings from PassGo, visit the PassGo Web site at http://www.passgo.com or contact PassGo at sales@passgo.com.