Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 131

Human beings just aren't good at creating a seemingly random, short string of text that makes for a strong password, in other words, one that is hard to guess but also easy for the user to remember. Despite this, many early ideas about password security became institutionalized, as reflected by their presence as security policy options in nearly all modern operating systems. These include the following:

 Complexity, which is usually interpreted as a mix of letters, symbols, and numbers used to transform a correctly spelled word into a secure password

 Minimum length, which may be as short as eight characters or more commonly 12 to 16 characters

 Reuse limitations, prohibiting the reuse of any of the last three to five passwords

 Prohibitions on commonly used words, such as names of days or months, names of sports teams, popular expressions, or other words in a restricted dictionary

One problem with these policies is that these policies may end up leading users to create passwords that are easy for password-cracking algorithms to crack, even if they are too complex for the average human to guess at. Consider a password like “@u28&iza710n,” which a single CPU password cracker might need 200 years to crack, primarily because it's a few short transformations away from the word authorization. Switching the order of the front and back halves of that string do improve its strength—to about 76,000 years of single-CPU work factor. But in doing so, it's made the password harder to remember.

Another problem with all of these policies is that they assume a common human understanding of what makes a chosen string of text, complete with special characters and misspellings, be a nonobvious choice for a password. The experts don't agree; how, then, can a billion users guess correctly on this? This leads to the incredible range of different password policy requirements that typical users see across the many websites and systems they interact with every day.

The stronger we attempt to make our password policies, the greater the frustration for our end users; and experience tells us that frustrated end users will find ways to cheat on the system and in doing so weaken its security.

And no matter how complex we make our passwords (or passphrases), chances are that if they are easy for us as a user to use, they're also vulnerable to a quick peek from a shoulder-surfer. That quick peek doesn't have to capture the entire phrase—just enough of it to help a puzzle-freak combine their intuition, their open source knowledge of you and your personal history and habits, and the job or system you're working with to be able to feed some smart guesses into their favorite cracking tool.

Complexity rules also run the risk of creating a false sense of security for administrators, users, and organizational senior leadership alike. More often than not, complexity rules that humans can use to select and use passwords can easily be broken by modern cracking tools, especially ones that draw upon zombie botnets to provide massive boosts to their computational capabilities.

Passwords are useful as a first authentication step—but they should never be the one and only step.

Password managers are software tools that provide users with a one-stop way to store, manage, and use all of their access credentials across many different platforms, systems, and websites. Password managers typically are used as browser extensions, providing automatic fill-in of the user's credentials when the browser navigates to a web page known to the password manager. They typically encrypt the stored user ID and password/passphrase information in a local file (sometimes called a vault). They can also be used to store and manage local device login information, such as the usernames, IP or MAC addresses, and passwords for a small office/home office (SOHO) router or modem or for other devices on the user's local area network. A single set of access credentials, typically an email address and a password, enables the password manager's vault system to interact with user login prompts. Password managers also provide users with a variety of security-enhancing features, such as automatic creation of unique, strong passwords for each login, routine testing of password strength and age, and multifactor authentication of the user when they attempt to access or use the password manager's vault.

It is important to distinguish the use of a password manager by an individual from single sign-on (SSO) access to your systems. Single sign-on does not depend upon each application, platform, or system within your architecture having a password defined for a user to access it. SSO is discussed in more detail later in the “Single Sign-On” section.

Using a password manager system can provide greater security for an individual user, and organizations that need their users to routinely access systems outside of the organization may find it worthwhile to look at corporate implementation strategies for them. They can, however, lead to two novel and potentially catastrophic security failures, if not configured and used properly.

 The first case, in which all passwords would be compromised, occurs when the central repository for the user's passwords is breached. This can happen either if the master password is guessed by an attacker on the user's system (the one your organization manages) or if the password manager vendor's central repository is breached. This should not be possible if proper encryption techniques are used in either case to protect the repository information while in use, at rest, and in motion; that said, it is a significant risk that must be addressed.

 Password managers entail another, much simpler risk, too, which is the possibility that the user might forget the master password. Eventual recovery might be possible, depending on the brand of password management software, but some operational disruption would be certain. This also requires users (individual or corporate) to repose great trust in their password management system vendor, the recovery agent, or both.