Previous | Table of Contents | Next |
User Authentication
The issues related to passwords in a two-level sign-on environment can be divided into three groups. First are the password characteristics such as minimum and maximum length. Second are the rules for entering or using passwords, such as how many guesses or attempts are permitted, and what happens when the maximum number of attempts have been made and the end user has not successfully completed the sign-on process. Third are other issues such as how often (or when) an end user should have to re-enter his or her password or how many different passwords should an end user have to perform his or her assigned responsibilities.
Password Characteristics. Enterprise senior management or information systems management personnel decide what the password characteristics will be as systems are implemented. These characteristics are likely to include many of the following items, and may occasionally include characteristics not discussed in the subsequent sections.
Password Length. The security subsystem may permit setting both minimum and maximum lengths. Passwords should rarely have a minimum length of less than four or five positions because short passwords are both easier to guess and easier to observe over an end users shoulder. Mathematically, a single-character password where any letter or number was permitted would provide 36 choices.
The IT auditor may find it difficult to believe that anyone would attempt to guess the password of another end user 1000 times, and impossible to imagine 1 million or more attempts. Programmers have written applications that will begin with the first one-character password and continue to try passwords until one is found that grants access. Moreover, these applications have all of the patience required to make thousands, millions, or more attempts if permitted by the system.
Minimum Password Length. No laws or regulations dictate what minimum length for a password is sufficient to reduce the risk to an acceptable level of having someone guess an end users password. Over time, IT auditors have reached general concurrence that four or five positions as the minimum password length reduces the risk to acceptable levels, particularly if combined with log-in controls, discussed later in this section.
Maximum Password Length. This illustration is not intended to suggest that more is necessarily better. A password length of ten positions permits more than 3.5 quadrillion possible passwords, which is likely to be more than enough to frustrate even the most persistent password guesser, even if the frustration is only from waiting for the password guessing program to be successful. Thus, the IT auditor should carefully consider any situation in which passwords of more than ten, or even eight, positions are permitted. If the system provides for setting a minimum length for passwords, it is likely to also provide for setting a maximum length.
Other Password Characteristics. The password length is in some ways the easiest item to control. Other characteristics that may be controlled are repeating characters in passwords, sequential characters in passwords, and requiring special characters to be included in passwords.
Repeating Characters. End users generally do not view passwords as one of the best parts of their experience working with information systems. Because of this, end users may occasionally select passwords that are easy to remember rather than passwords that are not easily guessed. Setting a password that is comprised of a single character repeated until the minimum length is reached may be the simplest password. If the security software permits this, the security administrator should enable it as a simple and direct way to improve the reliability of passwords.
Sequential Characters. The end user may weaken the password as a control by selecting passwords that are sequential, whether the sequence is numeric (123) or alphabetic (ABC). If the security software permits this, the security administrator should block this type of password construction. If available, this restriction may also eliminate the palindrome, which is a character string that is the same forward or backward (i.e., albla).
Special Characters. The 36 choices mentioned previously represent the digits 0 through 9 and the characters a through z. The standard computer character set for personal computers includes 128 characters, many of which are intended for graphical or system use only. The ones available for use can be found on a standard keyboard and include #, A, /, ?, and }, among others.
Some security software permits the security administrator to require the inclusion of one of these special characters in a particular position or positions. This increases the number of alternatives available for a single position from 36 to 46 or more. At one time, using this feature was considered effective. There may continue to be many situations when it increases security. The risk is that it will over-complicate the password, causing the user to write it down and increasing the risk of lost privacy password characteristics.
Required Positions. Another option that makes passwords more difficult to guess also reduces the number of unique possible passwords is one that permits the security administrator to specify what type of character must appear in each password position. The security administrator might set the following positional rule: ANS??AV:
Positional password rules should be implemented in a way that eliminates the need for turning on some of the other password control features previously discussed. The IT auditor should always remember that there is nothing to ensure that the need for the other features will be eliminated, or that if the other features are not needed that they will be turned off. These rules may conflict with each other if no strategic direction to provide for consistency and effectiveness exists.
IT auditors should take care to understand the security functions of their systems. Some systems handle rule or parameter conflicts based on preprogrammed hierarchies that determine which features take precedence in a conflict. Other systems simply eliminate all of the conflicting features, which can leave the enterprise exposed, although anyone auditing or reviewing system security software settings will only find what appear to be settings that should be securing the systems environment.
As previously described, the two most common end-user sign-on techniques are single-level and multiple-level sign-ons. Once the enterprise chooses the log-in technique, several more decisions follow. The decisions required by a single-level sign-on are much less complex than those required by a multiple-level sign-on.
Single-Level Log-in
The end user types his or her identification code into the indicated field on the screen and takes whatever action is required for the computer to process the entry. The computer should take the entered information and compare it with the security database. If the end-user identification code is found, access should be granted as provided for in the security database. The IT auditor should note that a successful log-in in this situation means that one of three things is true:
Previous | Table of Contents | Next |