Gallery

What's the word?

Posted on 20 Feb 2006 at 12:36

Davey Winder exposes the state of small-business password management

Last month, I mentioned that I've been involved in a year-long investigation of small-business security implementation and management. By interviewing staff at small businesses and offering a cost-free password security audit as an incentive, I compiled a survey covering 504 individuals across 114 businesses. The survey won't give Forrester or Gartner any sleepless nights, but it's nonetheless a valid sample from the small end of the SME sector. The survey in its entirety must remain confidential; it's the research phase of a commercial project I'm undertaking for a client. However, I'm at liberty to discuss the results about password security, and they reveal a rather worrying state of affairs.

My first question was how many work-related passwords did the interviewee need to remember on a regular basis? Only 12 per cent had less than six, with 29 per cent reporting between six and 12, and a staggering 53 per cent struggling with 13 to 25: only 6 per cent had more than 25. The average number of passwords per person was 16, and 72 per cent of them admitted to forgetting at least one within the previous week. What surprised me, and I'm not easily wrong-footed after 15 years in the SME marketplace, was the fact that 48 per cent of the IT admin staff surveyed had also forgotten a work-related password. Of course, at this size of business (fewer than four staff on average), an 'IT admin' is less likely to be a qualified professional and more likely to be the person in the firm with an interest in computers.

If all these people were forgetting their passwords, what was the management strategy for remembering them? You've guessed it, 64 per cent of end users and 73 per cent of IT admin saw writing down their passwords as the only solution. However, 22 per cent of end users and 78 per cent of IT admins who did write down passwords used some derived reminder rather than the whole password, which reduces the risk - but only marginally, as they're usually easy to work out if you know anything about the person (and often even if you don't).

Walking in hackers shoes

To truly understand the password-security problem, you need to appreciate less the mindset of people who want to crack it, but rather the tools and methodologies they use. It's hard to read the mind of every possible cracker, as there are too many varieties, but not so the tools of their trade.

There are just two methods worth studying, because they're the most widely deployed: software and social engineering. L0phtCrack is easy to use, and still easy enough to find if you inhabit the online world of the hack-and-crack community (rather than the commercial one of Symantec, which bought the product and limited its distribution to US and Canada only). While it was the hackers' favourite tool, times change and tools mature. L0phtCrack is easy to use thanks to its GUI, and some might believe that its ability to process a 30,000 word dictionary in a second (or to append a couple of characters to every dictionary word, in every combination in around a minute) makes it cutting-edge, but nothing could be further from the truth. Tools such as John the Ripper, which supports user-defined rule sets for controlling dictionary transformations, make L0phtCrack look ancient. John the Ripper goes far beyond simply appending or prepending characters to dictionary words, being able to reverse words, rotate words by shifting characters, toggle character case and shift state (that is, replace a letter with the non-alphabet character on the same key) and much more.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site