How to Secure User Accounts

Next to physical security, the careful use of user accounts is the most important type of security for your network. Properly configured user accounts can prevent unauthorized users from accessing the network, even if they gain physical access to the network. The following sections describe some of the steps that you can take to strengthen your network’s use of user accounts.

Obfuscating your usernames

Huh? When it comes to security, obfuscation simply means picking obscure usernames. For example, most network administrators assign usernames based on some combination of the user’s first and last names, such as BarnyM or baMiller. However, a hacker can easily guess such a user ID if she knows the name of at least one employee. After the hacker knows a username, she can focus on breaking the password.

You can slow down a hacker by using more obscure names — and here’s how:

• Add a random three-digit number to the end of the name. For example: BarnyM320 or baMiller977.
• Throw a number or two into the middle of the name. For example: Bar6nyM or ba9Miller2.
• Make sure that usernames are different from email addresses. For example, if a user’s email address is [email protected], do not use baMiller as the user’s account name. Use a more obscure name.

Do not rely on obfuscation to keep people out of your network! Security by obfuscation doesn’t work. A resourceful hacker can discover even the most obscure names. The purpose of obfuscation is to slow down intruders — not to stop them. If you slow down an intruder, you’re more likely to discover that she is trying to crack your network before she successfully gets in.

Using passwords wisely

One of the most important aspects of network security is using passwords. Usernames aren’t usually considered secret. And even if you use obscure names, casual hackers will eventually figure them out.

Passwords, on the other hand, are indeed top secret. Your network password is the one thing that keeps an impostor from logging on to the network by using your username and therefore receiving the same access rights that you ordinarily have. Guard your password with your life.

Here are some tips for creating good passwords:

• Don’t use obvious passwords, such as your last name, your kid’s name, or your dog’s name.
• Don’t pick passwords based on your hobbies, either. A friend of mine is into boating, and his password is the name of his boat. Anyone who knows him can guess his password after a few tries. Five lashes for naming your password after your boat.
• Store your password in your head, not on paper. Especially bad: Writing down your password on a sticky note and sticking it on your computer’s monitor. Ten lashes for that. (If you must write down your password, write it on digestible paper that you can swallow after you memorize the password.)
• Set expiration times for passwords. For example, you can specify that passwords expire after 30 days. When a user’s password expires, the user must change it. Your users may consider this process a hassle, but it helps to limit the risk of someone swiping a password and then trying to break into your computer system later.
• You can also configure user accounts so that when they change passwords, they can’t specify a password that they’ve used recently. For example, you can specify that the new password can’t be identical to any of the user’s past three passwords.
• You can also configure security policies so that passwords must include a mixture of uppercase letters, lowercase letters, numerals, and special symbols. Thus, passwords like DIMWIT or DUFUS are out. Passwords like 87dIM@wit or duF39&US are in.
• Use a biometric ID device, like a fingerprint reader, as a way to keep passwords. These devices store your passwords in a secret encoded file, then supply them automatically to whatever programs or websites require them — but only after the device has read your fingerprint. Fingerprint readers, which used to be exotic and expensive, are available for as little as $50.

A password-generator For Dummies

How do you come up with passwords that no one can guess but that you can remember? Most security experts say that the best passwords don't correspond to any words in the English language, but consist of a random sequence of letters, numbers, and special characters. Yet, how in the heck are you supposed to memorize a password like Dks4%DJ2, especially when you have to change it three weeks later to something like 3pQ&X(d8?

Here's a compromise solution that enables you to create passwords that consist of two four-letter words back to back. Take your favorite book (if it’s this one, you need to get a life) and turn to any page at random. Find the first four- or five-letter word on the page. Suppose that word is When. Then repeat the process to find another four- or five-letter word; say you pick the word Most the second time. Now combine the words to make your password: WhenMost. I think you agree that WhenMost is easier to remember than 3PQ&X(D8 and is probably just about as hard to guess. I probably wouldn't want the folks at the Los Alamos Nuclear Laboratory using this scheme, but it’s good enough for most of us.

Here are some additional thoughts on concocting passwords from your favorite book:

• If the words end up being the same, pick another word. And pick different words if the combination seems too commonplace, such as WestWind or FootBall.
• For an interesting variation, insert the page numbers on which you found both words either before or after the words. For example: 135Into376Cat or 87Tree288Wing. The resulting password will be a little harder to remember, but you'll have a password worthy of a Dan Brown novel.
• To further confuse your friends and enemies, use archaic language: for example, medieval words from Chaucer’s Canterbury Tales. Chaucer is a great source for passwords because he lived before the days of word processors with spell-checkers. He wrote seyd instead of said, gret instead of great, and litel instead of little. And he used lots of seven-letter and eight-letter words suitable for passwords, such as glotenye (gluttony), benygne (benign), and opynyoun (opinion). And he got an A in English.

If you do decide to go with passwords such as KdI22UR3xdkL, you can find random password generators on the Internet. Just go to a search engine, such as Google, and search for password generator. You can find web pages that generate random passwords based on criteria that you specify, such as how long the password should be, whether it should include letters, numbers, punctuation, uppercase and lowercase letters, and so on.

If you use any of these password schemes and someone breaks into your network, don’t blame me. You’re the one who’s too lazy to memorize D#Sc$h4@bb3xaz5.

Recent research is suggesting that much of what we’ve believed about password security for the last 30 or so years may actually be counterproductive. Why? Two reasons:

• The requirement to change passwords frequently and making them too complicated to memorize simply encourages users to write their passwords down, which makes them easy to steal.
• A common way that passwords are compromised is by theft of the encrypted form of the password database, which can then be attacked using simple dictionary methods. Even the most complex passwords can be cracked using a dictionary attack if the password is relatively short; the most important factor in making passwords difficult to crack is not complexity but length.

As a result, the National Institute for Standards and Technology (NIST) recommends new guidelines for creating secure passwords:

• Encourage longer passwords.
• Drop the complexity requirement. Instead, encourage users to create passwords that they can easily remember. A simple sentence or phrase consisting of ordinary words will suffice, as long as the sentence or phrase is long. For example, “My password is a simple sentence” would make a good password.
• Drop the requirement to change passwords periodically; it only encourages users to write down their passwords.

Old ways are difficult to change, and it will take a while for these new guidelines to catch on. Personally, I wouldn’t drop the requirement to change passwords periodically without also increasing the minimum length to at least 15 characters.

Securing the administrator account

At least one network user must have the authority to use the network without any of the restrictions imposed on other users. This user — the administrator — is responsible for setting up the network’s security system. To do that, the administrator must be exempt from all security restrictions.

Many networks automatically create an administrator user account when you install the network software. The username and password for this initial administrator are published in the network’s documentation and are the same for all networks that use the same NOS. One of the first things that you must do after getting your network up and running is to change the password for this standard administrator account. Otherwise, your elaborate security precautions will be a complete waste of time. Anyone who knows the default administrator username and password can access your system with full administrator rights and privileges, thus bypassing the security restrictions that you so carefully set up.

Don’t forget the password for the administrator account! If a network user forgets his password, you can log on as the supervisor and change that user’s password. If you forget the administrator’s password, though, you’re stuck.