The Perils of Penelope’s Passwords
“I tried your birthday, I tried your mom’s first name,
I tried your cat’s name, I tried your favorite band…
I have the password to your shell account”
- Barcelona, “Shell Account”
If you will please indulge me a little nod to a favorite cartoon of my youth, we should have a short talk about passwords and their place in our current information security environments. Like a favorite bedtime story, we all have our offensive and defensive playbooks when talking about passwords. They range from the classic “They don’t work” to the exotic “Correct, Horse! Battery Staple!”¹. Pull up a seat next to the fire pit we use to destroy old policy & procedure manuals and let me offer you a little advice.
Passwords by themselves are no longer a secure enough method to protect information systems. Like most information security professionals, the end users have had to embrace “Defense in Depth” and accept strong passwords as part of multi-factor authentication, despite their protests. Shortly thereafter, the holes in multi factor authentication arose and once again the pitchforks and torches came up from the end users. We endured the eras of entry level biometrics, proximity cards, hand contour readers, and an endless trail of money that went to the sales team with the best dog and pony show. After all of this, the end users quietly kept pitchforks and torches next to their umbrellas in their cubicles, should anyone come up with another “solution.” While their complaints can be valid, and some of them addressed, the fact remains that end users need to understand that with great sensitivity, comes great responsibility. Security administrators have to understand that no one is going to remember passwords that require 30 characters that must include letters, numbers, special symbols, and a Stargate Address².
The industry has presented us with all manner of systems to assist in the great password rodeo. We have passwords stored in our browsers, physical hard-bound books to write our passwords down in, and even cloud based password storage so that we can access our passwords anywhere we go. The one thing all of these methods have in common? They have all been compromised.
So the question becomes “what do we do?” As usual, this question was dropped on my desk somewhere in-between my breakfast burrito and my first caffeination cylinder of the day. We need a solution that includes passwords, prevents weak passwords, functions remotely & locally, and does not increase the overall size of our attack surface. The impossibility of this Kobayashi Maru³ was starting to loom over my head when a memory of a past DEF CON conference reminded me of a very important fact. It was late at night at DEF CON sitting at a round table of information security experts swapping stories of high adventure when one of my colleagues reminded me of an old Russian proverb: “Three people can keep a secret, if two are dead.” I smiled and replied, “There is no cloud, just someone else’s computer.” The solution was sitting there in front of me between the pencil jar and the lamp⁴.
To solve this problem, I pulled down a copy of Keepass⁵ and a freshly wiped thumb drive. Keepass has the ability to store and organize password lists behind strong encryption, and run off of a thumb drive without the need for any software installation, fees, cloud follies, or contracts. This makes the storage secure, portable, and in the best of all security traditions off line when you are done for the day. I quickly filled in all my current passwords, and used the built-in generator to create new passwords to replace the weak ones (we all have at least one, let’s be honest) with a thirty character 181 bit everlasting gobstopper⁶ of a password that contained more special characters than an APL program⁷. I tested this in many ways through the day, and it did not disappoint. At the end of my day I removed the thumb drive and placed it in my safe along side my autographed Ray Semko⁷ photograph and went home secure in knowing that while the hackers tilted at our windmills, my passwords were safe from their electronic shenanigans.
The next day I presented this system to the SOC team. There were some doubters, and there were some people who wanted us to use a more “modern” cloud based solution. I asked them to give it a try for one day. The next morning as we reviewed the news of the day at our shift change briefing, the news reported that the cloud solution that had been suggested had been compromised by hackers and data lost. I silently stood there, swinging my thumb drive on a chain attached to my suit like an old pocket watch. In the back of my head I could hear the Brian Setzer Orchestra⁹ playing. Who says these meetings have to be dull?
The moral of the story is that while no one solution is a universal fit for everyone, everywhere, with careful consideration of your business needs, security and compliance requirements and a little old school wisdom you can create a sensible, workable, and more-secure-than-not solution to help keep your passwords safe, because they are not going away anytime soon.
Frank Clark is a security engineer with Hunter Strategy, a lover of pop culture references of his era, the person you want on your team on trivia night and once connected the telephone of the principal at the high school he was attending to the school PA system. His experience in security operations includes stock market trading floors, DOD, DOE and NNSA facilities over a 25 year career still in progress. Shai Dorsai!
[1] https://xkcd.com/936/
[2]https://www.rdanderson.com/stargate/glyphs/index.htm
[3] https://en.wikipedia.org/wiki/Kobayashi_Maru
[4]https://www.imdb.com/title/tt0105435/
[5]https://keepass.info/
[6]https://en.wikipedia.org/wiki/Everlasting_Gobstopper
[7]https://computerhistory.org/blog/the-apl-programming-language-source-code/
[8] https://raysemko.com/
[9] https://www.youtube.com/watch?v=aHWcN5YxuYc
Contact Us
contact@hunterstrategy.net
