Password Complexity Risk Assessment

chandra · January 17, 2008, 8:41am

It is a subject that is overlooked and ignored, but very real, are
complex passwords required - are they an asset to the company? I know
one thing, they cost an awful lot of money to maintain.
What I have detailed below happened in one of the largest
manufacturing plants in the UK, it had been standard practice for
nearly a year.

On a pre-inspection walk down, I checked one of our DCS (Distributive
Computer Systems), just a house keeping visit to make certain that all
was clean, tidy and there was nothing to evoke the regulators
interest. There, on the side of the display unit was a post-it with
an alpha numeric string of around 10 characters on it.

I could not relate this string to a user name (not there and then) but I could go into the system and see what operator was starting, clearing and
accepting product batches, and yes to my abject horror, it was the
same operator, nightshift, dayshift and weekends. It would appear
that the complexity of the password, along with the three monthly
changing, had led to a lot of erroneous password entries and
subsequent lock downs, which closed down production until a suitable
person could reset it.

At week ends and meals times this was often a considerable amount of time. Since closing the line was serious enough to warrant a severe telling off, along with adverse comment being inserted in the staff records, the staff slowly became apprehensive about using their passwords. If there was one there - that everyone was certain about - they all used it. This is very
serious cGMP breach, a practice the FDA require to lead to at least
the threat of dismissal.

So the moral of this is - why have complicated passwords - when the
risk is - people will not use them. From the pharmaceutical point the
security lies in the history log much more than the password, i.e.
events are time and date sequenced and stamped, to hide an illegal
change is difficult and beyond the ability of all the users.

Chandra

orlando · January 17, 2008, 8:42am

I Have been observing this thread and would like to add to the topic.

Complexity of passwords might seem an uneccessary burden.Ask yourself the question why do we use passwords…
Having an account lockout for 15 minutes is easy , but are the logs checked incase someone was indeed attempting to breach your system. We all know that password can be broken , its only a matter of time before it can be broken.The use of complex passwords extends the time of modern day hacking software /utilities Eg 8 plain character might take 2days to break, complex 8 character passwords 30 days.( only and example).How can you keep you users accountable

The way we have overcome the password problem as well as using complex passwords were to delegate the ability to only unlock certain account to Supervisors and managers of respective departments. Security logs are checked.

We have a SOP that governs computer usage , passwords etc Users are tarined and checks are conducted frequently to enforce the policy.

You might argue that everything is in the audit trial, But the audit trial is not going to reflect security breaches, Yes it will refelct changes on the system but what if those unauthorised changes are critical to your bussiness

In my opinion rather safe than sorry.

I read an earlier posting compairng passwords to banking Pin , yes you have a numeric password for life but without the card you cannot be authenticated, intenet banking you normally have PIn, Card number and some form of password or other verification.If you read in the papper that someone hacked a banking site your first instinct is to check your account and change your pin.

The bottom line is the choice is yours.

meyert · January 17, 2008, 5:30pm

Where did the practice of changing passwords come from?

Is it for internal or external threats?

chandra · January 17, 2008, 5:36pm

No sure where the logic is in changing passwords meyert, it just seems like an inconvienence to me!

meyert · January 17, 2008, 9:25pm

I had heard that it came from the military to limit the duration that the enemy could know their password with sentries. Anybody have a different hypothesis?

meyert · January 21, 2008, 3:18pm

There is a parallel thread going on over at the Yahoo group…

zol88 · January 6, 2009, 8:09am

Hi, I can’t help but to share what I learnt from one of the security courses that I attended.

Whether its an internal or external threat depends on whether its an open or closed system.

Many years back when systems were created, where memory size is so expensive, passwords were allocated like 4 to 16 numeric or alphanumeric characters. Hence the name “password” come from because it wants the user to add is a security token. Of course many users uses their birthdate, house number, car-plate number for easy recall. But is the tecnology progress, those 16 characters with permutation of 26 alphabets and 10 numeric numbers were easily broken in hours by a brute-force software.

About 10 years ago, the whole password concept was revisit… with cheaper memory cost and bigger harddisk, password are mostly set between 128-256 or even more.

The term now is to use passphrase instead of password.

The complexity of using upper-case, lower-case, and also symbols is being used to allow more permutation. Which such permutation, a brut force will take years to cover all the available character sets.

So, instead of using difficult password of “3VbmesYc%$$ab”, user should use a familiar phrase like … for example if its an accounting system, use something like “I hate the 2 account auditor!”, or “Love 2 work here?”.

For the discussion on audit trail log, there are many security best practice especially on configuring all the activities or selectively logging only those required ones.

For example, do you logged successful logging or unsuccessful logging, or logging sucessful changes on unsuccessful changes? Of course nowadays there are many reporting tools that selectively run a trending and identify those suspicious logging activity trendings.

Of course the same reason why a control process is required for someone to monitor these activities.

But of course, for all the technology and available processes, the weakest link is still the user practice. The same reason why you saw people pasting post-it stickers under the keyboard or even writing it beside the monitor frames.

This is where security policies are one of the highest and important requirement for all employees to Read, Understood and signed to make sure they are aware of the complication and severity.

Hope this help.

alexkennedy · January 7, 2009, 4:35pm

Thank you Chandra for republishing a post I made to the 21 CFR Part 11 forum in January 16th 2008 at 4.03 am. It is indeed exactly word for word from start to finish.

http://tech.groups.yahoo.com/group/21cfrpart11/message/17411

It is polite and correct practice to include an acknowlegement when you copy or quote from work carried out by others.

Alex Kennedy

meyert · January 13, 2009, 2:46am

Alex,

happens all the time. Post come over from there or vice versa.