Did You Forget Your Password?
In a “Star Trek: Voyager” episode, a character trying to explain the perils of a Borg alliance relates an ancient parable of the scorpion crossing the river on the back of a turtle. Despite promises of a safe journey, the scorpion stings the turtle, offering an unblameable excuse: “It’s my nature.”
No matter how much you try to caution users, they will always forget passwords or misplace a key fob. Like the doomed scorpion, it’s their nature; like the turtle, IT pros still try to help.
From an administrative perspective, there’s one thing worse than having multiple passwords for multiple systems—having to manage normal users who need their passwords reset. The obvious solution would be to implement some sort of single sign-on (SSO). Enterprise system owners and political turf concerns, cost and homegrown applications make complete SSO adoption nearly impossible in large organizations. Another solution is the plethora of user-controlled password-reset software. In the past few years, these products have become increasingly popular and ubiquitous. It’s no small wonder: Several studies have shown that anywhere from 40 percent to 50 percent of help-desk calls are for password problems. Most of those are for resets.
Of course, these programs are dependent on the operating system. Many are parts of larger suites; some are separable. Some are free—NetVision’s Password Self-Service Manager for eDirectory uses challenge questions to reset passwords using a Web browser, enforces password rules, includes a hyperlink and is part of NetVision’s larger NVIdentity suite, which isn’t free. Novell’s eGuide, a simple gadget or portal, that comes with eDirectory, includes a simple password reset, but its use is available only to users who already know their password. As with any enterprise purchase, you need a budget—typically, price per seat, a list of must-have features and a list of nice-to-have features.
When evaluating products, you will want to ask the following questions:
- What is the interface—browser, telephone, OS client, etc.? Is this something your users will like? Do you need multiple interfaces?
- Do you need multiple platform support?
- Is there e-mail notification?
- Can you turn on an audit trail?
- How is the database encrypted?
- Can you enforce strong passwords—configurable beyond standard OS capabilities?
- Are links between client and server encrypted (SSL)?
- Does the product modify the directory schema? With AD, particularly Server 2003, is the software ADAM (Active Directory/Application Mode) aware, or does it modify the schema?
Resetting passwords itself requires security. Chandelier, from www.littlecatz.com, doesn’t require a user login. Instead, it relies on multiple co-workers vouching for the affected employee. This could be a problem in a two-person office! Telephone-based password resets are an advantage for a mobile workface. How much security can you implement over a telephone-based reset that won’t drive your users away? Password Station.net (www.avatier.com), PasswordCourier (www.courion.com) and P-Synch (www.mtechit.com) all support telephone-based resets, depending on modules ordered.
A related issue when configuring these types of products is how much security to require of your users. Most users would rebel at a change in policy to require 12- to 14-character, complex passwords. Sophisticated hacker dictionaries are readily available, as are cracking tools (e.g., Cain and Able, www.oxid.it; Brutus, www.hoobie.net; L0phtCrack or LC 5, www.atstake.com). LC 5 now has several editions, including a security consultant’s license, the ability to audit networks and remediate weak passwords, support for both UNIX and Windows, and pre-computed hash tables of literally trillions of combinations.
One of the best descriptions of how insecure passwords are–even strong encrypted passwords–can be found at geodsoft.com/howto/password. This should be required reading for every administrator. The article gives a specific rule about non-repeating characters and no personal information, and reduces this advice to a single rule: Do not create any password from any single character sequence that is electronically accessible, and do not use any permutation of such a sequence.
These musings are enough to drive any administrator to biometric scans or two-factor authentication, such as RSA’s SecurID (www.rsasecurity.com). The expense of these solutions explains the poor penetration of alternatives for most companies, except in high-security areas. Implementing a strong password policy, with some self-service mechanism for management, will go a long way toward ensuring user acceptance and cooperation.
Douglas Mechaber, MCNE, MCSE, CCNA, BCSD, works for a health agency when he’s not consulting or writing. Send him your network problems and favorite utilities at firstname.lastname@example.org.