Monday, December 5, 2011

Securing Your Clinic IT - Passwords

We're going to be doing a periodical feature on here about some security practices to keep in mind.  Security is too broad a topic to cover in one post, so we'll do posts about individual areas.  If you have a particular issue you'd like to see covered, please comment and we'll try to get a post together about it.
The first Securing Your Clinic IT post will cover passwords.

Authentication in the IT world often consists of a username and password combination.  The username is a public or semi-public unique identifier representing, typically, an individual.

The password is a secret sequence of characters that is known only to the individual and the authenticating service.  This allows the user to prove who they say they are.

The biggest challenges to password security are:

  • Use of common passwords, such as "password" (I'm serious)
  • Short passwords (these are easily cracked using "brute force" attacks, wherein the attacker simply tries different character combinations)
  • Passwords that are simple words (subject to dictionary attacks)
  • Hard to remember passwords, as these are invariably  written down (this undid an alleged Russian spy ring a year ago)
  • Same password used across multiple sites (hacking collective Anonymous put this to use against a federal contractor)
  • Passwords shared between users (this violates auditability principles and leads to logistical challenges if a staff member leaves)
Now that we've identified problems, let's identify some criteria for what makes a good password:
  • Not a common word or based on a common word
  • 8 characters or longer
  • Comprised of lowercase, uppercase, numbers and punctuation
  • Easy for the user to remember without writing it down
  • Used for only one site
  • Known to only one person

In the days of yore, passwords were often just words, "password" as password is still surprisingly common.  Often people would just use a word they liked ("awesome") or a loved one's name. These are subject to what's known as dictionary attacks, where an attacker tries every word in the dictionary against the target account.  This sounds like a lot of work, but it's not hard to write a piece of software to do this, and chew through the entire dictionary in a matter of hours.

Today, many sites will force you to have complex passwords comprised of capital and lower case letters, numbers and punctuation.  This can make passwords hard to guess, but also hard to remember.  This can lead to people writing down passwords, which is a problem.  Further, these types of passwords are not as resilient to brute force attacks as one might imagine.  This comic, from xkcd, delves into some of the probability:
Some believe using randomly generated passwords is the solution.  These can be useful for system-to-system passwords, where a user is not expected to remember it (I like this password tool).  A 14 character random password "BN5dt[0+xB4^}{" is very hard to guess, and won't come up in any dictionary.  The problem is that it's hard to remember.

A recent emerging technique is to use a password or favourite quote from a poem or book as a password.  Take for example the classic snippet from Shakespeare's Hamlet, Act 5 Scene 1:
Alas, poor Yorick! I knew him, Horatio; a fellow of infinite jest
To generate a password from this, we take the first letter of each word and the punctuation, and combine to form "A,pY!Ikh,H;afoij".  Not bad, now we need to incorporate some numbers.  In this case there are many options.  One can replace the words to, two and too with the number 2, the words for and four with 4, eight and ate with 8, etc...  One can use the author's year or date of birth, the year the work was published, the page number, the line number, or some other random number that is meaningful to you and easily remembered (don't use your or a family member's birthdate).  In this case I will prepend the act and scene numbers, giving us "51A,pY!Ikh,H;afoij".  This password meets all our criteria.  It is difficult to guess but easy to remember.
Another common technique is to force users to change passwords every so often, typically 1-3 months.  However, the effectiveness of this is coming under scrutiny.  Modern security researchers believe this is of limited benefit and can lead to making passwords hard to remember, which in turn leads to user writing down passwords.  It can lead to users creating easy to remember AND guess passwords.  Further, the user can make trivial changes, which most systems will accept.  Changing a password from "password" to "password1" hasn't done much to reduce the threat.  An article from CERIAS, a security research center at Purdue University, says
Any reasonable analysis shows that a monthly password change has little or no end impact on improving security!    It is a “best practice” based on experience 30 years ago with non-networked mainframes... hardly a match for today’s systems...
Maintaining a list of passwords can be challenging.  A password for every site, tool and network your clinic interacts with can mean hundreds of passwords!  There are tools to help you manage your passwords.  KeePass is a commonly used one, and is certainly worth a look though it may be too advanced for some.  For others, try keeping an encrypted word doc with your passwords, but it is important to follow those steps exactly.  Using a poor password or a weak Crypto Provider leaves you very exposed.

More advanced techniques are emerging, including secure access cards, or fobs with rotating numbers as an added measure.  These tools give each user a physical device with a number that changes periodically (typically every 30 secs) according to a secure algo.  The user must enter their username, password, and the number from the device to login.  This is known as two-factor authentication.  These devices can be quite secure, but the cost is not small, and this is probably overkill for most clinics.

Using proper password techniques as outlined above can help secure clinic.  This in turn can speed up your operations and reduce your exposure to loss.  I hope this helps, please feel free to ask any questions in the comments below.

No comments:

Post a Comment