Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

Continue reading How to choose a password according to Microsoft

How many electronic accounts do you have? If you’re like me you have usernames and passwords for everything from bank accounts to email accounts to accounts that are used to access personal hobby sites such as woodworking or auto mechanics.

And in any organization, employees may also have multiple accounts with different passwords which allow them to access departmental email as well as select user groups within their areas of expertise.

All of these have accounts require passwords but like our keys or our socks we sometimes lose or forget them. Losing or forgetting your password to specific email accounts can cause minor irritation for some but can also be a source of panic when needed emails cannot be accessed immediately. Fortunately, there are many password recovery applications on the market for administrators and IT departments to choose from.

Continue reading 5 Tools for Email Password Recovery

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

Continue reading Survey identifies worst password practices

The end of the year is upon us, and for most of us this means time off from work to celebrate Christmas with our families and take a much needed break.  But before we shut down our computer and head out the door there are a few extra things that email admins need to think about.

Patches and Security Updates

Before taking an extended break is a good time to double check that your email servers are up to date with the latest security updates.

This includes updates for the server operating system, the email server application, and any other components on the servers such as backup agents, faxing software, and antivirus agents.

Even if your patching is automated it might pay to manually apply the latest updates now so that any problems that arise can be dealt with while you are still at the office.  You don’t want to get a phone call while you’re relaxing because the server was knocked offline by an automated update.

Backups

A lot of businesses use the end of the year to take a full backup of systems to store as a long term archive.  This is best performed while you are still available to assist with any issues and make sure that the backup is 100% successful and can be relied upon later for recovery if necessary.

At the same time some businesses halt their backups over the holidays if no staff will be present to change backup tapes.  For Exchange servers it is important to ensure that enough transaction log space is available for the server to run without backups for a week or more.

Support Calls

Nothing is worse than getting phone calls on your holiday for simple questions or problems.  If the business is still operating over the Christmas period and you might get phone calls from the Help Desk or on call staff then you can save yourself from being bothered by putting the right documentation and systems in place. Continue reading Christmas Checklist for Email Admins

Password problems can be perplexing – sorry I couldn’t resist the tongue twister

Seriously, administrators will have the challenge of correcting password issues under time constraints as business activities and users are all working toward completing projects on time. So having a tool chest of techniques for solving and correcting password issues is a requisite of any good administrator.

One problem that you will encounter from time to time is when passwords are not being kept by Outlook even though they have been specified to be retained. This may happen even if the “Save Password” box has been checked.

Several solutions have been offered on the internet.

Deleting User Account Information

One solution involves deleting the user account information and resetting the password. This method involves making changes to the Registry. As always, anytime you touch the registry you should always back it up first.

There are other times when Outlook doesn’t remember the passwords after the operating system has been reinstalled. The system is configured correctly in that the correct passwords are in the account properties but when the end user attempts to send or receive an email they get the username and password dialog box popup.

Disabling Prompts

Another solution you can try is to disable the prompt that asks to save passwords. You can do so by bringing up the Control Panel by going to the lower left corner of the screen and clicking on the Start button and then click on Control Panel. Once you have the control panel up you should then double click on Internet Options and select the Content tab. Next, click on the AutoComplete button in the Personal Information section. Check the box for “User names and passwords on forms” and uncheck the box for “Prompt me to save passwords”. You should now close Outlook and then restart it and try your password again.

Continue reading Troubleshooting Outlook Password Problems