Thursday, August 25, 2005

How to communicate user IDs and passwords

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
08/25/05
Today's focus: How to communicate user IDs and passwords

Dear security.world@gmail.com,

In this issue:

* Risk analysis of system for telling users their IDs and
  initial passwords
* Links related to Security
* Featured reader resource
_______________________________________________________________
This newsletter is sponosred by Akamai
Download the Network World Special Report: Accelerating
Web-based Applications: Managed Services Offer Benefits Without
Infrastructure Headaches

Look at most companies and you'll find one thing in common, a
move to Web-enable mission critical applications. A new breed of
managed services, aimed directly at accelerating performance and
availability of Web-based applications, helps companies attain
their goals of profit and growth - no matter how far or wide the
audience they are trying to reach. Learn how Web-based
applications can allow your company to boost the bottom line.
Download this Special Report today!
http://www.fattail.com/redir/redirect.asp?CID=110779
_______________________________________________________________
THE ROI OF VOIP

When it comes to VoIP, most network managers are satisfied that
the technology works. But there are questions: What will the new
technology cost to roll out and support, and what benefits can
companies expect to reap? Check out NW's step-by-step guide on
how to determine the true cost and benefits of VoIP. Click here:
http://www.fattail.com/redir/redirect.asp?CID=110692
_______________________________________________________________

Today's focus: How to communicate user IDs and passwords

By M. E. Kabay

An acquaintance recently posed a practical question about
security procedures to me and it may be useful as an example of
risk analysis.

"Howard" (not the real name) wrote:

"I need some guidance on a security issue/concern.

"My corporation's network system is now being set up to generate
passwords based on a user's date of birth. For instance, if
Joseph Brown's birth date is July 17, 1955, his initial password
would be 071755. Typically the user names are generated by using
the first character of the first name followed by the first
seven characters of the last name. So, for example, Joseph
Brown's user name would be 'jbrown.'

"When we send new employees their user name and password, to
ensure they actually get the information, two e-mail messages
are sent to their non-company e-mail address and one printed
letter is sent to their home address. E-mail #1 contains the
user name, e-mail #2 (sent 30 to 60 minutes after e-mail #1)
contains the password, and the letter contains both.

"Our question is this. Is it more secure to send one e-mail
containing the actual user name and a subsequent e-mail
containing the actual password OR to send one e-mail containing
the user name and, contained within that one e-mail, an
explanation of the password schema without direct reference to
the password itself? For instance, this e-mail might say
something like 'Dear Joseph, your user name is < jbrown > and
your password is your six-digit birthdate in numeric values.'

"Neither of these is as secure as they should be, but which of
the above provides less opportunity for someone to 'steal' the
information? I can see the flaws and holes in both."

I answered Howard as follows:

It's so nice to see someone actually THINKING about security
issues! Congratulations!

The use of the birthday numbers as an initial password is an
awful idea - surely it would have been just as simple to use a
random-number generator - but never mind. Since the password has
to be changed immediately after the first use it's really not a
huge problem. At worst, a (wo)man-in-the-middle attacker who
logs on fraudulently could send out a bunch of horrible e-mail
in the legitimate student's name, lock the account with another
password, and have the depredations discovered instantly when
the legitimate user tries to log on.

Best practice dictates that you not e-mail OR mail the user ID
and the actual _password_ in the same message.

We can be sure that the password generation _algorithm_ is not a
secret (everybody in the company is going to know it), so
sending it separately is pointless - there is little to be
gained by separating it from the user ID.

Therefore go ahead and send the user ID and the rule for
creating the password in the same message. However, you might
want to stipulate that the sequence is MMDDYY, since some people
prefer DDMMYY and others (the logical ones) use the obviously
superior and sortable (YY)YYMMDD.

Note that there is a small probability that a few people will
have entered their birthday incorrectly in the Human Resources
records and that therefore they will not be able to log on
successfully, but that problem will be resolved by the Help
Desk. The other risk is that birthdays are not generally viewed
as confidential information, so there may already be attackers
who know or can determine the birthday. The Human Resources
department also has lots of people who will be able to find the
birthday, but let's assume that we can trust them for a one-time
password.

On the whole, then, considering how wretched passwords are as a
means of authentication, sending the user ID and the algorithm
together is not as bad as sending the user ID and the actual
password, whether together or separately.

The top 5: Today's most-read stories

1. Zotob worm also targets Windows XP
<http://www.networkworld.com/nlsec5898>

2. Dr. Internet: Installing DHCP on Linux
<http://www.networkworld.com/nlsec5899>

3. Cisco preparing management play
<http://www.networkworld.com/nlsec5692nlsecuritynewsal5834>

4. IP PBXs outsell traditional PBXs, study says
<http://www.networkworld.com/nlsec5900>

5. Test: Xirrus XS-3900 offers out-of-this-world Wi-Fi capacity
<http://www.networkworld.com/nlsec5901>

Today's most-forwarded story:

IP PBXs outsell traditional PBXs, study says
<http://www.networkworld.com/nlsec5902>

_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the
Division of Business and Management at Norwich University in
Northfield, Vt. Mich can be reached by e-mail
<mailto:mkabay@norwich.edu> and his Web site
<http://www2.norwich.edu/mkabay/index.htm>.

New information assurance journal - Norwich University Journal
of Information Assurance (NUJIA). See
<http://nujia.norwich.edu/>
_______________________________________________________________
This newsletter is sponosred by Akamai
Download the Network World Special Report: Accelerating
Web-based Applications: Managed Services Offer Benefits Without
Infrastructure Headaches

Look at most companies and you'll find one thing in common, a
move to Web-enable mission critical applications. A new breed of
managed services, aimed directly at accelerating performance and
availability of Web-based applications, helps companies attain
their goals of profit and growth - no matter how far or wide the
audience they are trying to reach. Learn how Web-based
applications can allow your company to boost the bottom line.
Download this Special Report today!
http://www.fattail.com/redir/redirect.asp?CID=110779
_______________________________________________________________
ARCHIVE LINKS

Archive of the Security newsletter:
http://www.networkworld.com/newsletters/sec/index.html

Security Research Center:
http://www.networkworld.com/topics/security.html

Instant sign-up for Security News Alert:
http://www.networkworld.com/isusecna

Instant sign-up for Virus & Bug Patch Alert:
http://www.networkworld.com/isubug
_______________________________________________________________
Webcast - IT security without compromise

Explore proven leadership approaches to IT security as leading
experts from Cisco Systems and Microsolved discuss how to
implement a comprehensive, integrated security architecture.
Find out more, watch now.
http://www.fattail.com/redir/redirect.asp?CID=110750
_______________________________________________________________
FEATURED READER RESOURCE
IT STAFF SHORTAGE LOOMING

Outsourcing. Automation. Downsizing. The industry has been awash
in unemployed IT pros. But experts are now predicting an IT
staffing crunch is just around the corner, and the implications
for U.S. technology innovation are sobering. What might be
causing the shortage and what might need to be done to prevent
it? Click here:
<http://www.networkworld.com/nlsecuritynewsal5838>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005

No comments:

Post a Comment