Passwords in an Enterprise (or small business)

As the IT admin and part owner of a software startup, I’ve had to manage multiple servers and services. The domain controller is SBS2008, a WatchGuard firewall setup to use RADIUS to authenticate VPN against active directory, a subversion repository, a MySQL DB backing a redmine installation, multiple MS SQL Server DB’s to back various development projects with SA accounts, an internal FTP, a slew of other local services, all in addition to the default local admin logons, bank account logon’s, QuickBooks, Amazon, go daddy, insurance websites, etc. The list goes on for about 40 discreet user accounts and passwords. Then, I have my personal passwords to deal with, like my iTunes account, Gmail, etrade, quicken, bank account, facebook, linked in, home computer, etc.

In addition, for each of our consulting project installations, we have a slew of new passwords and user names for various computers and systems.

I had a simple system in 2000 or 2001- use the same password! Of course, this isn’t very secure, and it never quite worked- each system or service had a slightly different password policy.

So, I started using a password management system. Meaning of course, an excel doc with all of my passwords.

Then in 2009 I took classes for an MCITP program (the windows server admin certification program, they changed the name from MCSE for some reason), and one of the lecturers was a security expert who spoke about how nearly everyone uses “1” or “!” as their number or special character in a “complex” password. I was taken aback, because sure as hell I was doing that. He spoke about the need to use a password management system and to use passphrases. Also, he said it’s also okay to write down your passphrase on a post-it note and put it in your wallet.

So, about passphrases and the wallet thing first. The reason passphrases were better than a simple password is that they are long, yet simple to remember. The lecturer spoke about how windows XP and server 2003 used an LMhash, which broke your password into two uppercase zero-padded 7 character halves. So, it was super easy to crack with a brute force or time memory trade off algorithm- for example, this free application can crack LMhash passwords in a snap http://ophcrack.sourceforge.net/ . I cracked my home computer logon account with this software and freaked out about how easy it was. There is even a paid CUDA accelerated version, for those with big nVidia cards.

The deal with a passphrase was that it is typically longer than 14 characters and really hard to brute force unless you are the NSA. Imagine your password is “don’t forget the Ajax”. That is 22 characters, really fast to type, and really hard to crack. In addition, if you wrote it down on a post-it note and kept it in your wallet, there is a good chance the guy who stole it thinks it’s a shopping reminder, not a password.

However, you can’t remember so many different passphrases for so many different sites (I won’t even talk about how bad it is to use the same password for every account). Here is where a password management system comes into play.

For Three Byte, I set up Password State; it’s free for 10 users or less, and totally awesome. It allows you to authenticate against Active Directory to access the password site, and from there you can access passwords and user names for your other services. It requires SQL Server and IIS. This system used 256 bit AES encryption in the database, and some local .NET methods to further obscure the password. It allows you to share your passwords with other users, and it logs each time the password was copy-clipped or viewed. It allows you to set time limits on the passwords, so you can keep them fresh. Just what the CIA needs, I think. I’ll use it for all my major AV installations and recommend its use to anyone who needs this kind of system.

FYI, this screenshot is copied from the clickstudios.com site, so no hacker can see the user accounts we actually use!

My buddy Geoff who is a pilot in the Air Force tells me about super stringent password requirements, such that many people create a new password by simply hitting the characters on the keyboard from left to right (starting at 1), up to down (ending at z),  alternating with the shift key to generate the password. If only they were taught why and how to secure passwords.

For more resources on secure passwords, just google it.