Thursday, August 30, 2007

Passwords Written Down, Real Life Real Risk

I sound like a broken record sometimes. I get sick of hearing myself speak too. I will say it again because it is of utmost importance:

People, please STOP writing passwords down!

Here is a real-life example of a written down password that could have very easily led to over $500,000 in theft.

The Incident
I get the call all of the time. Someone calls to report (anonymously) that they have found a password written down on a laptop. As always, I initiate an investigation to determine the extent of the risk to the company I am contracted to work for. Upon arrival at the site of the laptop, I notice various passwords written down on stickers just to the right of the mouse/thumbpad.

Typically, the passwords I find pose more risk to the company (i.e. Active Directory passwords, VPN passwords, etc.) than they do to the individual at fault, but this one was different. My eye was immediately drawn to one written password entry, it read:

USER ID: jdoe
PASSWORD: jdoeDoneB4d

NOTE: These user IDs and passwords have been modified for the sake of this article. The actual user IDs and passwords on the stickers were different.

Naturally, I want to find out who this person is. After searching everywhere within the company and interviewing numerous people I had run out of options. I think to myself, self “The user name and password can’t still be valid, can they?” I decide to try. I go to Oh %^$*@! They are valid! Upon login, I get confronted with the “Complete View” account page.

$492,640.25 worth of risk! Now I can find the user however, which is my main motivation. Obviously the first thing to do is have the user change their password, which they did. I spent a good amount of time with the user explaining what could have happened if this information fell into the wrong hands and gave them some alternative methods for password management. I am not sure if it sunk in or not, but it felt good to help for now!

How did the laptop end up where it was?
This is the question I would be asking myself. Through investigation it was discovered that the laptop was turned in to the help desk for normal hardware rotation. The user basically sends their old laptop to the help desk for a new one, which is common every couple of years. The help desk placed the old laptop in storage then brought it out as a loaner for a contractor.

Why didn’t the help desk remove the stickers and inform Information Security personnel when the laptop was returned for recycling?
Another good question. Because sometimes people forget that information security is EVERYONES job. People need to understand what role they play because we all play one. I have found through experience that an effective training and awareness program goes a long way. Training and awareness conducted correctly could have stopped the user from writing their passwords down in the first place and may have reminded help desk to remove and report.

I have given this much thought over that last few days. It really bugs me when people fall victim to scams, thieves, and the like. There is no sense in making it easy for them! People write down passwords because they typically do not know of a better way to manage all of their passwords. Can we blame them? See my previous article "Passwords Part 3/3 - Password Management" for some suggestions.

In hind sight I should have not logged into the account to find the username. This poses a risk to myself. Next time I will call eTrade and inform them of the username and password found on the laptop. I hope there won't be a next time, but I would to too naive to believe so.


Mike said...

The issue is real and probably going to get worse before it gets better. While I think users will get better in protecting their passwords, there is a trend towards synchronizing and combining access via a SINGLE password and account.

Case in point: a client of mine is looking at Passlogix for single-signon (SSO). Not a problem, until they realized that all access to all the user's applications is now controlled by one username/password combination. A single misplaced password for a powerful user could result in a significant breach.

As a result, the client is considering strong authentication (smart card, USB token, etc.) options for all internal users of the SSO solution.


Greg said...

We know that we cannot expect users to remember multiple complex passwords, but we also cannot expect users to be able to run password management applications like your Password Part 3/3 post suggests. In a bit of irony, perhaps the workstation is locked down from user-initiated application installs...

I do encourage users to write down their complex passwords, as long as they understand they must keep that document as secure as they keep their credit cards. Writing the highly secure information down isn't the problem, it's the storage of that secure information. You choose to "write" your passwords in a encrypted format stored on your computer. That's well and good as it fits your environment. Others could choose to write their passwords on paper and store it in their wallet. Just as with credit cards, care must be taken IN ADVANCE to identify the processes to perform in the event of a stolen/lost wallet.