EDPACS

ISSN: 0736-6981 (Print) 1936-1009 (Online) Journal homepage: http://www.tandfonline.com/loi/uedp20

Understanding Passwords
Belden Menkus CISA, CSP, CCP, CRM
To cite this article: Belden Menkus CISA, CSP, CCP, CRM (1996) Understanding Passwords,
EDPACS, 23:8, 10-14, DOI: 10.1080/07366989609451703
To link to this article: http://dx.doi.org/10.1080/07366989609451703

Published online: 05 Jan 2010.

Submit your article to this journal

Article views: 7

View related articles

Full Terms & Conditions of access and use can be found at

http://www.tandfonline.com/action/journalInformation?journalCode=uedp20
Download by: [112.133.232.13]

Date: 16 March 2016, At: 07:03

E D P A C S

FEBRUARY 1996

Information systems auditors and security specialists will

Downloaded by [112.133.232.13] at 07:03 16 March 2016

want to look for opportunities to:

0Make security automatic and rigorous, by encouraging the
concepts of protect-all and always-call.
0 Coordinate naming conventions for user IDS, data sets, and
resources.
0Provide for the translation of user IDS, nodes, and other
names between security software products and between communication networks.
0 Centralize on a single means of identifying a user and determining what a user is permitted to do; for most M V S installations this will be one of the big three security software
products. But, it will not be sufficient merely to have one
of these products implemented. A need exists to establish
standards and enforce them in a manner that ensures that
all information processing applications and purchased software will work within the overall security architecture and
strategy.
0 Develop a strategy tointegrate DBR security with the rest
of M V S security.
0 Recognize those mainframe computers, communication networks, and W s that a r e connected, o r a r e likely to be connected to the organizations computers. This will facilitate
identifying the degree of trust that is possible between these
systems and initiating the type of security that can be based
on that trust. H
Stuart Henderson, CIA, CMA, CDP, is the president of the Henderson Group,
Bethesda MD. He is an experienced systems programmer who consults and conducts courses in various Information systems audit and security issues. Henderson concentrates onmattersinvolvingRACF, CA-ACFZ,and CA-Topsecret and
on concerns surroundingcross-platform security. He teaches CISA review courses
f o r the national capital area chapter of the ISACA. Henderson is the founder of
the New York RACF users group and the editor of Its newsletter.

UNDERSTANDING
PASSWORDS
BELDEN MENKUS
Passwords are the most frequently used mechanisms for authenticating the identity of a system user. However, using a password is not the only suitable authentication means. At least two
other approaches merit consideration that employ some form of
biometries or some type of token. (Two new product offerings
in these categories will be discussedin the next issue of EDPACS.)
10

Downloaded by [112.133.232.13] at 07:03 16 March 2016

FEBRUARY 1996

BASIC ASSUMPTIONS
The basic assumptions in authenticating the purported identity
of a potential information processing application user have not
changed materially since 1985. That was when the Department
of Defense issued its highly influential Password Management
Guideline. The computer system access claim authentication
process is based on something that the individual whose identity is being verified knows, possesses, is, or does:
Those in the first two categories each involve the use of a
surrogate. (This is something that substitutes for direct contact between the individual and the authentication mechanism.) This surrogate can be a distinctive password o r
passphrase, a magnetic stripe encoded card, o r a special
ring or keychain fob.
0 Those in the second two categories involve the individual
directly in the authentication process. These are the measurement of some physical characteristic of the person o r
of some action that this individual performs. This can be
the shape of ones face o r the pattern of the iris of one of
the individuals eyes. This also might be the way in which
one speaks some crucial words.
Two authentication mechanisms that could be demonstrated
in theory to verify an individuals identity with suitable confidence have proved to be unacceptable in practice:
0Authentication was based on measuring the way in which a
user signs his or her name. This recognition and verification
process is based on assumptions about the consistency with
which one might write ones signature; however, individuals
are not always consistent in performing this function.
0Authentication was based on the uniqueness of a users lip
print. It became obvious early in the tests of this technique
that most people objected to touching their lips to the metal
plate that engaged in the recognition process.

E D P A C s

THEORETICALLY A
PASSWORD MAY BE

OF ANY LENGTH,
FROM A SINGLE
CHARACTER TO AS
LONG A CHARACTER
STRING AS THE
OPERATING SYSTEM
WILL ALLOW.

HANDLING PASSWORDS
Three aspects to making effective use of passwords (or
passphrases) exist:
0 The way in which they are constructed.
0The manner in which they are safeguarded,
0 The frequency with which they are changed.
Passwords Construction
Individual passwords should be distinctive and should not be
deduced easily by a potential intruder who is attempting to
break into the system. This precludes the use of such identifiers as individual employee social security numbers, costcenter accounting identification codes, o r nicknames. This also
precludes the use as passwords of such identifiers as common
nouns or the names of favorite sports figures, music performers,
o r entertainers. To avoid the problems that may be associated
with these practices it is preferable to avoid having the password defined by its potential user. Rather, the password should
11

E D P A C S

THE NUMEER OF
PASSWORD
POSSlBI LIT1ES I S
DETERMINED EY A

Downloaded by [112.133.232.13] at 07:03 16 March 2016

COMSINATION OF

THE

CHARACTER

LENGTH THAT HAS

BEEN SELECTED
AND THE
CHARACTER SET
STRUCTURE.

FEBRUARY 1996

beecreated by a system administrator and assigned on a random basis.

A password should be long enough to discourage discovery
by some form of deduction, but it should be short enough to
be remembered without being written down. Theoretically a
password may be of any length, from a single character to as
long a character string as the operating system will allow.
Preferably a password should be from six to eight characters
long. Within this limit a password may be constructed from
one of three options:
0A series of numeric characters.
0A series of alphabetic characters.
0A combination of numeric and alphabetic characters and
aAy printing keyboard characters that a r e not reserved for
some particular operating system o r information processing application use.
Both uppercase and lowercase alphabetic characters may
be used. Employing this type of straightforward structure is
preferable to employing some more complicated approach. The
justification for taking such an approach may be the presumption that including personal information related to the
password user will make it easier for this person to remember the actual character arrangement. For example, a complicated array may be composed from some combination of
the individuals social security number, the birthdate of a child,
the abbreviation of one of the states, and two numerals from
this users personal automobile license plate.
The number of password possibilities is determined by a
combination of the character length that has been selected
and the character set structure. A six-character all-numeric
password arrangement would have about 1 million combinations. By contrast, a six-characterpassword array that includes
numbers as well as uppercase and lowercase letters would
have about 1.7 million combinations. (The use of both uppercase and lowercase letters, typically, is described as a casesensitive arrangement.) An eight-character password structure
that encompasses the 17 standard printing keyboard symbols
plus numbers and upper and lower case letters would have
about 268 million combinations.
Some of the password possibilities in each of these arrangements will not be suitable, since they will be guessed by a possible intruder too easily. These include passwords that a r e
constructed from a series of identical numeric or alphabetic
characters o r one that has been created from the numeric or
alphabetic characters or the keyboard symbols in sequence.

H o w the Passwords Are Safeguarded

Protectingpasswords involves providing a safe means for issuing and distributing them. An examination of the means that
can be employed for protecting the larger network of which
the password user is a part is beyond the scope of this article. Among the issues that belong in such a discussion are:
12

Downloaded by [112.133.232.13] at 07:03 16 March 2016

FEBRUARY 1996

0The means that a r e employed to encrypt passwords while

they are maintained at the network central node and while
they a r e being transmitted between the user and the node.
0 Providing a means for maintaining multiple passwords for
an individual user who must have access to separate information processing applications that function within the larger
computing environment.
17 Maintaining a secure audit trail of both password changes
and unsuccessful access attempts.
An organization can create its own store of possible passwords. Doing this can prove, however, to be a time-consuming and expensive process. It is preferable instead to employ
one of the software products (available through the Internet)
that generate suitable passwords and present them on a random basis to individuals who are seeking a new password.
Individual passwords should appear on the video display screen
only in connection with their being issued.
It should not be possible for a user to print a password out
through the system or to relay it to someone else through the
communication network. When a password is entered it should
not be echoed back routinely to the user, This will prevent its
inadvertent display and observation by a potential intruder
o r at some intermediate network node o r server.
Ideally the individual who is using a password should be
encouraged to remember it and not record it anywhere in any
form. In most instances, that is not a realistic expectation. A
possible compromise involves encouraging, or even requiring,
password users to employ a communication-access product
that permits them to maintain their current password under
one of the products hot keys. (Such an arrangement, incidentally, precludes password-sharingby several different individuals in a word group. The use of group passwords should
be prohibited.) Maintaining a password under a hot key ensures
that the password user does not require some further mechanism for remembering the password and that the user should
only be concerned with it when it is necessary to replace the
password that has been in use with a newly changed one.

E D P A C S

IT SHOULD NOT B E
POSSIELE FOR A
USER T O PRINT A

PASSWORD OUT
THROUGH THE
SYSTEM OR TO
RELAY IT TO
SOMEONE ELSE
THROUGH THE
COMMUNICATION
NETWORK.

RETRIES: THE HUMAN FACTOR

Human mistakes can include entering a password in error o r
entering the wrong password. Normally, an individual making such an mistake will be allowed to retry entering the password. In most instances, two o r three retries will be permitted.
(Allowing for additional attempts raises the possibility that
the seeming errors really a r e attempts by an intruder to gain
access to the system.)
When the limit on password retries is reached, the system
should react positively. The simplest response is to terminate
the connection and to force the individual who is seeking access
to begin the log-on process again. (Under this approach no
particular overhead is added to either the system administration or information system security functions; however,
this practice will do little to discourage a determined individual engaged in trying to extract an acceptable password from
13

E D P A C S

FEBRUARY 1996

the system.) A preferable response when the password retry

limit has been reached is to disable the system account. Under
this approach the direct intervention of either the information systems security or the system administrator is required
to reactivate the user connection. (This intervention will be
comparable to that which will be required when the user has
forgotten the current password.)

CHANGING A PASSWORD
To make things more difficult for a prospective intruder, individual passwords should be changed periodically. Ideally, this
should be required for all system users four to six times a
year. Whatever change-frequency has been established, it may
be incrased if the number of unauthorized access attempts
exceeds whatever threshold has been established. H
Downloaded by [112.133.232.13] at 07:03 16 March 2016

Belden Menkus, CISA,CSP,CCP, CRM,is the editor of EDPACS. He is a principal

in Menkus Associates, consultants in information systems auditing, security,
and quality in Manchester TN.

THE FUTURE OF
ELECTRONIC C A S H
ALFRED JULIAN
Electronic cash can be expected in the near future to affect
significantly information systems control and audit. This communication-based method of transporting and dispersing funds
already is in limited testing. It is anticipated that electronic
cash will be an everyday reality worldwide by early in the
next decade. It is envisioned that cyberfunds will emerge from
the anticipated spread of s m a r t card commercial funds transactions. Both the nature of this concept and the way in which
it functions can be expected to be modified significantly over
the next several years. The concurrent use of these electronic
funds along with more conventional funds transfer mechanisms may continue for some time.

THE FUNDS MOVEMENT OPTIONS

The existing financial, legxlative, and judicial processes have
failed largely to address the use of electronic cash in any organized fashion. However, the evolution of electronic cash will divide
it into two types. One type may be considered as recognized funds
14