Rethinking Password Policy

 

A password policy is a common part of every companies overall security policy. Most password policies are set in stone, and have been essentially unchanged over the past twenty years. We think of the ideal password as a random collection of letters, numbers and random characters. Common password policies often include rules such as:

  • Both upper case and lower case numbers are required.
  • At least one number and one special character.
  • A minimum length of 8 characters (and often a maximum length is set).
  • A prohibition against certain rules or sequences of characters.
  • No personal information (i.e.. cannot use ones first or last name).
  • Cannot repeat the previous dozen passwords.
  • Password must be changed every 90 days.

These are all pretty standard and have the desired effect of forcing fairly complex passwords. After all the more complex the password is the more secure it is, right? Or do they? Let’s look at two examples.
1. Super.001 – This password meets all the requirements above. It has the advantage of being very easy to remember, Has four different character types, etc. Most people won’t people would be able to remember this password without much effort, which is ideal. But, it is a password that is subject to one very serious issue, repeatability. That is to say, the users next password is going to be Super.002 and then Super.003 and so on. While they all meet the complexity requirements of the aforementioned ruleset, they are a serious breach of ideal InfoSec since knowing one password makes it real easy to guess the next iteration of the same users password.
2. $%thIn25b – This password also meets all of the above requirements. But has a few disadvantages. First is that the human brain is simply not wired to remember passwords like this which means most people will have to write it down. Which means post-it notes on monitors, tape strips underneath keyboards or on the back of badges, etc. Because of it’s complexity, it also means the user is far more likely to suffer an increase in the number of lock-outs they experience (decreasing the employees productivity) which in turn increases the workload for IT help desk. One other consideration not often mentioned, is that a more complex password often means slower, finger picking at the keyboard, which in turn might make it easier for shoulder surfers to pick out passwords.

Before going too far, we need to understand a little about how passwords work in a corporate environment. The first thing that we need to understand is that passwords are not stored in plaintext. That is to say, we can not view the password in any way once it is passed to the system. For example, if you are storing all your personal passwords in an Excel file (a common, but very bad habit), you are storing your passwords in plaintext. Anyone who opens the Excel file can read and copy your passwords. But within a computer network, passwords are not stored that way, rather they are stored and passed as hashes. A hash is the result of passing a password through a mathematical formula that takes a password and turns it into a fixed length set of characters. For example, the SHA1 hash of the aforementioned Super.001 is “b61bcff38b1a464aedc8261afb8211a7a67eaa07” and that is what Windows sees and uses. Now, you might think that changing Super.001 to something very close like Super.002 would result in a hash that is very close to the other but in fact you end up with a very different set of numbers and letters. In this case Super.002 becomes: 020ad20ab24b29118d1fc2ce391dd18fe41b3000. Notice the radical difference between the two. This is the result of a mathematical concept called entropy, and entropy is one of the most important concepts to understand when considering passwords. Basically, entropy is how much change results in the final hash value based on extremely small changes in the original plaintext value. This is important because the more entropy you introduce into the hash, the further away from the original value you get, the more difficult it becomes to decrypt the hash.

Now, without getting into the mathematics of password entropy, which quite honestly is beyond me, I can say that password length is far more important than password complexity. A concept which even the most casual Google search will confirm. In fact, there is some significant mathematical evidence that increased complexity actually decreases password strength. What this means basically is that complex passwords don’t matter, long passwords do.

There is some really interesting history around the development of the password rules that we are so used to, but in essence they were made up, rushed through to get published in a federal specification with no evidence to back them up. But they have been used for so long that we don’t question them. However over the past two years or so, a lot of work has gone into rethinking passwords, and that research has ended up producing a whole new set of standards that the federal government has now published, and is slowly being adopted through out the country. It should be noted that even our infamous three-letter agencies are in agreement with these new standards. In fact, as part of the FIPS program, agencies that do business with the federal government are required to implement these new standards which are published in NIST SP 800-171.

So what do these new standards say:

  1. Get rid of the password change requirements. Passwords should not be required to change or expire based on a specific time frame. Instead, passwords should only be changed if they have been forgotten or compromised.
  2. No more complexity requirements. Password owners should not be forced to use convoluted and overly complex combinations of letters, numbers and special characters to create their passwords.
  3. Require longer passwords, a minimum of 8-12 characters and maximum sizes should be moved up to 64 characters or even more.
  4. Consider not using passwords and moving instead to a passphrase. A passphrase is a sentence or combination of words, such as the line of a poem or song, that is easier to remember.
  5. Implement screening against known lists of bad or common passwords.
  6. Eliminate the use of password hints and security questions that are based on specific knowledge points (such as your high school mascot or mothers maiden name).

Ultimately, these new standards are about favoring the end user. It means less time trying to remember new passwords, lost productivity due to expired or forgotten passwords. And fewer passwords left laying around on post-it notes. The end user should not suffer because software writers are to lazy to handle passwords properly.

A few other items of note is that software systems really should be using 2 Factor Authentication, there simply is no excuse not to anymore, and SMS is not a secure 2FA method.

 

Outlook Email Headers on a Mac

Today I wanted to take a few minutes to look at the headers on a particularly suspicious email I received, and it took me a few minutes to find them, since I had never done it on a Mac before.  So I threw together a quick guide.

  1. In the email list pane, right click on the email that you want to view information about.
  2. In the context menu select “View Source” which is almost at the bottom of the pop-up window.
  3. You will then get another window that opens and shows the header, the MIME info, and the body of the email.  Easy enough.

D.O.D. Data Sanitization Matrix

Standard DoD 5220.22-M, US DoD 5220.22-M (ECE)

US Department of Defense in the clearing and sanitizing standard DoD 5220.22-M recommends the approach “Overwrite all addressable locations with a character, its complement, then a random character and verify” (see table with comments) for clearing and sanitizing information on a writable media.

US Department of Defense 5220.22-M Clearing and Sanitization Matrix

Media Clear Sanitize
Magnetic Tape1
Type I a or b a, b, or m
Type II a or b b or m
Type III a or b m
Magnetic Disk
Bernoullis a, b, or c m
Floppies a, b, or c m
Non-Removable Rigid Disk c a, b, d , or m
Removable Rigid Disk a, b, or c a, b, d , or m
Optical Disk
Read Many, Write Many c m
Read Only m, n
Write Once, Read Many (Worm) m, n
Memory
Dynamic Random Access memory (DRAM) c or g c, g, or m
Electronically Alterable PROM (EAPROM) i j or m
Electronically Erasable PROM (EEPROM) i h or m
Erasable Programmable (ROM (EPROM) k l, then c, or m
Flash EPROM (FEPROM) i c then i, or m
Programmable ROM (PROM) c m
Magnetic Bubble Memory c a, b, c, or m
Magnetic Core Memory c a, b, e, or m
Magnetic Plated Wire c c and f, or m
Magnetic Resistive Memory c m
Nonvolatile RAM (NOVRAM) c or g c, g, or m
Read Only Memory ROM m
Static Random Access Memory (SRAM) c or g c and f, g, or m
Equipment
Cathode Ray Tube (CRT) g q
Printers
Impact g p then g
Laser g o then g

US Department of Defense 5220.22-M Clearing and Sanitization Matrix

a. Degauss with a Type I degausser

b. Degauss with a Type II degausser.

c. Overwrite all addressable locations with a single character.

d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.

e. Overwrite all addressable locations with a character, its complement, then a random character.

f. Each overwrite must reside in memory for a period longer than the classified data resided.

g. Remove all power to include battery power.

h. Overwrite all locations with a random pattern, all locations with binary zeros, all locations with binary ones.

i. Perform a full chip erase as per manufacturer’s data sheets.

j. Perform i above, then c above, a total of three times.

k. Perform an ultraviolet erase according to manufacturer’s recommendation.

l. Perform k above, but increase time by a factor of three.

m. Destroy – Disintegrate, incinerate, pulverize, shred, or melt.

n. Destruction required only if classified information is contained.

o. Run five pages of unclassified text (font test acceptable).

p. Ribbons must be destroyed. Platens must be cleaned.

q. Inspect and/or test screen surface for evidence of burned-in information. If present, the cathode ray tube must be destroyed.

Saint Seraphim of Sarov On Acquisition of the Holy Spirit

Introduction

Saint Seraphim of Sarov was born in 1759, in city of Kursk. His parents were pious Orthodox Christians, examples of true spirituality. At the age of ten, Seraphim was miraculously healed from a serious illness by means of the Kursk icon of the Theotokos. As a boy, he immersed himself in church services and church literature. He began monastic life at the hermitage of Sarov at the age of nineteen. He was tonsured as a monk when he was twenty-seven, and soon afterwards was ordained a deacon. The intensity and purity of Seraphim’s participation in the Divine services are evident as he was allowed to see angels, and during the liturgy on Holy Thursday, he saw the Lord Himself.

At thirty-four, Seraphim was ordained as a priest, and was assigned as the spiritual guide of the Diveyevo convent. At this time, he also received a blessing to begin life as a hermit in the forest surrounding Sarov. He lived in a small cabin, devoting himself entirely to prayer, fasting, and the reading of the Scriptures and the Holy Fathers. Seraphim would go to the monastery on Sundays to receive Holy Communion; and then return to the forest. Continue reading “Saint Seraphim of Sarov On Acquisition of the Holy Spirit”

The Mystery of Confirmation

In the second Mystery of the Church we move from Easter to Pentecost, from participating in the death and resurrection of Christ to the coming of the Holy Spirit.  This Sacred Mystery, or Sacrament, is called chrismation or confirmation.

Receiving confirmation is receiving the “power from on high” the gift of the Spirit.  This empowers the baptised person to live the life made new in baptism.  We become temples of the Holy Spirit.  As we hear in the compline service, “Glory to You, our God, glory to You! Heavenly King, Consoler, the Spirit of Truth, present in all places and filling all things, the Treasury of blessing, and the giver of life: come and dwell in us, cleanse us of all stain and save our souls, O Good One!”  Consider that immediately after His baptism in the river Jordan, the Holy Spirit descended upon our Lord, with those amazing words “Behold my Son in whom I am well pleased.”  Our obedience to God, which begins with baptism, allows us to receive the indwelling Holy Spirit. Continue reading “The Mystery of Confirmation”

What Happens the First 40 Days After Death

By St. John Maximovitch

Limitless and without consolation would have been our sorrow for close ones who are dying, if the Lord had not given us eternal life. Our life would be pointless if it ended with death. What benefit would there then be from virtue and good deed? Then they would be correct who say: “Let us eat and drink, for tomorrow we die!”

But man was created for immortality, and by His resurrection Christ opened the gates of the Heavenly Kingdom, of eternal blessedness for those who have believed in Him and have lived righteously. Our earthly life is a preparation for the future life, and this preparation ends with our death. “It is appointed unto man once to die, but after this the judgment” (Heb 9:27). Then a man leaves all his earthly cares; the body disintegrates, in order to rise anew at the General Resurrection. Often this spiritual vision begins in the dying even before death, and while still seeing those around them and even speaking with them, they see what others do not see.

But when it leaves the body, the soul finds itself among other spirits, good and bad. Usually it inclines toward those which are more akin to it in spirit, and if while in the body it was under the influence of certain ones, it will remain in dependence upon them when it leaves the body, however unpleasant they may turn out to be upon encountering them.

For the course of two days the soul enjoys relative freedom and can visit places on earth which were dear to it, but on the third day it moves into other spheres. At this time (the third day), it passes through legions of evil spirits which obstruct its path and accuse it of various sins, to which they themselves had tempted it. Continue reading “What Happens the First 40 Days After Death”

Theosis – Deification as the Purpose of Man’s Life

By Archimandrite George
Abbott of the Holy Monastery of St. Gregorios on Mount Athos

DEIFICATION IS POSSIBLE THROUGH THE UNCREATED ENERGIES OF GOD

In the Orthodox Church of Christ man can achieve deification because, according to the teachings of the Holy Bible and the Fathers of the Church, the Grace of God is uncreated. God is not only essence, as the West thinks; He is also energy. If God was only essence, we could not unite with Him, could not commune with Him, because the essence of God is awesome and unapproachable for man, in accordance with: ‘Never will man see My face and live’ (Exod. 33:20).

Let us mention a somwhat relevant example from things human. If we grasp a bare electric wire, we will die. However, if we connect a lamp to that wire, we are illuminated. We see, enjoy, and are assisted by the energy of electric current, but we are not able to grasp its essence. Let us say that something similar happens with the uncreated energy of God.

If we were able to unite with the essence of God, we too would become gods in essence. In other words everything would become a god, and there would be confusion so that, nothing would be essentially a god. In a few words, this is what they believe in the Oriental religions, e.g. in Hinduism, where the god is not a personal existence but an indistinct power dispersed through all the world, in men, in animals, and in objects (Pantheism). Continue reading “Theosis – Deification as the Purpose of Man’s Life”

The Apostolic Canons

THE APOSTOLIC CANONS

Translated by Henry R. Percival, 1899.

The Canons of the Holy and Altogether August Apostles [Latin version adds: set forth by Clement, Pontiff of the Roman Church]

Canon I.

Let a bishop be ordained by two or three bishops.

Canon II.

Let a presbyter, deacon, and the rest of the clergy, be ordained by one bishop,

Canon III. (III. And IV.)

If any bishop or presbyter offer any other things at the altar, besides that which the Lord ordained for the sacrifice, as honey, or milk, or strong-made drink instead of wine, [the text here varies] or birds, or any living things, or vegetables, besides that which is ordained, let him be deposed. Excepting only new ears of corn, and grapes at the suitable season. Neither is it allowed to bring anything else to the altar at the time of the holy oblation, excepting oil for the lamps, and incense.

Canon IV. (V.)

Let all other fruits be sent home as first-fruits for the bishops and presbyters, but not offered at the altar. But the bishops and presbyters should of course give a share of these things to the deacons, and the rest of the clergy.

Canon V. (VI.)

Let not a bishop, presbyter, or deacon, put away his wife under pretence of religion; but if he put her away, let him be excommunicated; and if he persists, let him be deposed.

Canon VI. (VII.)

Let not a bishop, presbyter, or deacon, undertake worldly business; otherwise let him be deposed. Continue reading “The Apostolic Canons”

The priesthood according to Saint John Chrysostom

by Fr. John Behr,  Dean of Saint Vladimir’s Theological Seminary

In his work on the Priesthood, Saint John does occasionally speak in very high terms of the priest as the liturgical officiant, but his main concern is with the priestly ministry more generally, following the example of Christ, Who came to serve rather than to be served. As he puts it, while the priesthood is ranked among the heavenly ordinances, it is nevertheless enacted on earth. And the tasks of the priest are numerous: he was the teacher and moral guide of the community; he was the liturgical leader, deciding which catechumens should be admitted to baptism, and he presided at the Eucharist; he was the spiritual guide for those who wanted to lead more ascetic lives; he received guests form other churches; he maintained an elaborate system of charity for the care of strangers, the support of widows, orphans and the poor, he cared for the women who were ranked in the order of “virgins”.

Judging from his writings, it was the concern for the widows, the virgins, and the poor which caused him the greatest anxiety: he speaks of the holiness and knowledge necessary for such work, and also the endless patience and ability to steward alms in an irreproachable manner (On the Priesthood 3:12). Elsewhere, he mentions that in Antioch there were some 3,000 widows and virgins who were looked after by the Church. One can only imagine the immense amount of work that this required! Continue reading “The priesthood according to Saint John Chrysostom”

The Mystery of Baptism

We acknowledge one baptism for the remission of sins.” -Nicene Creed

Baptism is the first of the Holy Mysteries, or Sacraments, of the Church.  A Mystery is a sacred and holy act through which God’s saving power, His grace, works upon the recipient.

In Protestant countries, and particularly in North America, the predominant view of Baptism is that of it being a symbolic act.  Baptism, in most Protestant churches, represents an act of obedience to Christ, an outward expression of an inward conviction.  It is generally believed that one must first hear the Gospel, believe in Christ, and then be baptised; that only people of accountable age who have made a profession of faith should be baptised remains the dominant evangelical position.  There are of course some variances and differences in the precise theology and expression, as well as some additional concerns for those Protestant churches that practice infant baptism, such as the Lutheran and Reformed churches.

The historic, and authentic, Orthodox-Catholic understanding of baptism is quite different however.  The Orthodox-Catholic Church maintains the Sacramental efficacy of baptism as a true Mystery of our Lord.  It is essential to our salvation, to our place in the Church, to our walk with Christ.    Baptism is the foundation upon which the Christian life is built, it is the first Sacrament all Christians must receive.  In Baptism the person dies to sin and is born-again into the spiritual life.  As St. John says “no one can enter the kingdom of God without being born of water and Spirit.”
Continue reading “The Mystery of Baptism”