Security with Secret Phrases, Passwords, etc.

Over the weekend, I was reading different articles/blogs about how people think that passwords, no matter how long, are useless. These people write that their accounts (email, Apple, phone, bank, etc) were hacked even when they used long passwords.

When you reread the articles/blogs and analyze what they are saying, you realize that the password, long, short or whatever, is not the real problem. The real problem lies in several areas:.

  • Secret phrases/questions – this WAS a great idea until social web sites (FaceBook, Google+, etc.) became popular. Now people are posting everything about themselves on social web sites. Typical secret questions are “Where were you born?”, What is your favorite car?”, “What is your favorite color?”, etc. If a hacker is going to attempt to break into one of your accounts or pose as you when they call a help desk, the FIRST thing they are going to do is access ALL of your public information. If you post on your social web site that you love your Toyota Prius then anyone can guess that your favorite car is a Prius. D’oh!!
  • If you have multiple email accounts then make absolutely sure that for password resets, account “A” does not point to account “B” and account “B” does not point to account “A”. You need to an another email account that is never used except for email account resets. Why, because if a hacker can compromise one account then they will easy compromise the other email account. But if you have password resets going to a 3rd, not used email account, then you have just closed an avenue on a hacker.
  • People are using bad or easy to guess passwords. The top 2 passwords are “123456” and “password”. When I see this, all I can say is “are you kidding me!?!?”. I can’t believe that people are that lazy or “cough”, how to put this politely, that dumb!!

So what does this mean for companies, I think it is time to get rid of secret phrases/questions. What should it be replaced with? That’s the million dollar question!!

  • The first idea that pops to mind is for these companies to use picture comparison and ask you what you like better (i.e. right-brain stuff rather than left-brain stuff). The online companies could show you 3 or 5 sets of picture questions. What kind of pictures? The companies could show you 2 similar pictures of a sunset: one over water and the other over land and ask you which do you like better. Of course, you need to remember what your choices are for the future. 🙂
  • Go with revolving passwords. Make the user have 3 to 5 passwords, and when the user logs in, the user must input a specific password. i.e. What is your UserID and Password # 2?
  • Have questions related to their occupation (I don’t mean divulge job secrets). i.e. If you are a car mechanic then the question could be “At your location, what garage bay does wheel alignments?” Questions need to be more trivial, so that the information would not be posted online.

The bottom line is that the secret phrases/questions need to be more abstract (right-brain) rather than specific facts related to the user, since everybody is posting everything about themselves on social web sites (and that’s not going to stop anytime soon!!). So, by now everyone is scratching their heads and thinking, hey, you forgot about biometrics. Actually, I didn’t. I do NOT think it is wise idea to use biometrics for public accessible sites. Biometrics are prefect for controlled private settings but I would never implement it for a public site. Why? You think it is bad that your “so called” private information (SSN, credit cards, etc.) may be found on the internet, but if a scan of your finger-print or eyeball were to get on the internet then you would be FOREVER screwed. 🙁 You can change your credit cards but as of today, you cannot change your finger-prints or eyeballs.

So, how does any of this relate to Capitalware? Capitalware’s MQAUSX product authenticates the user’s UserID and Password against the server’s native OS system, LDAP server, Microsoft’s Active Directory, Quest Authentication Services, Centrify’s DirectControl or an encrypted MQAUSX FBA file.

For encrypted MQAUSX FBA (File Based Authentication) file, a program called “enc_server” is used to manage the encrypted FBA file. “enc_server” is a super-light version of Unix/Linux’s “useradd”, “userdel” and “passwd” programs combined into one program. I am not a fan of big brother but after everything I read this past weekend, I think the “enc_server” program needs some rules around what passwords the MQAdmin can use for generating entries in the encrypted FBA file. So, here are some of the rules that I am thinking of implementing in “enc_server”:

  • Passwords need to be a minimum of 8 characters
  • Passwords must contain at least 1 uppercase alphabetic character (A-Z)
  • Passwords must contain at least 1 lowercase alphabetic character (a-z)
  • Passwords must contain at least 1 numeric digit (0-9)
  • Passwords must contain at least 1 punctuation character i.e. !”#$%&'()*+,-./:;><=?@[\]^_`{|}
  • Passwords cannot contain spaces
  • Passwords cannot contain the associated UserID

The rule list may not be complete but at least it is a start.

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Authenticate User Security Exit, Unix, Windows, z/OS.

Comments are closed.