Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

In an analysis of some 32 million pilfered passwords performed earlier this year by a security firm, it was discovered that 60 percent of the users chose passwords made from a limited set of alpha-numeric characters. Worse yet, 50 percent of the passwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.” Internet grifters are well aware of those tendencies among users. So what they do is rather than trying to direct thousands of attempts at an account to crack its password, they take the most common passwords used by users and direct them at thousands of accounts. Not only does that skirt lock-out defenses, but it’s much more efficient than a brute force dictionary attack.

That kind of common password attack, though, can be blunted by adopting the methods proposed by the authors of Popularity Is Everything. Their system calls for limiting the number of times a particular password can be used. So even if an intruder guesses a correct password, he or she would only be able to compromise a handful of accounts at the most.

“Replacing password creation rules with popularity limits has the potential to increase both security and usability,” the researchers contend in their paper. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.”

“We conjecture that usability also increases,” they continue. “System designers no longer need to create increasingly complex password-selection rules with no guarantee that they will result in truly strong passwords. Users needn’t read, learn, or interpret these rules. Instead, users are only inconvenienced when their password choice is one that would lead to a [quantifiable] unacceptable level of vulnerability to a statistical guessing attack.”

Although the password philosophy advocated by the researchers has yet to undergo close scrutiny from the security community, steering users away from common passwords has gained some traction at one of the largest social networks on the Internet.

“Twitter, in responding to an online password guessing attack that exploited their failure to lock out guessers, now forbids 390 of the most common passwords,” the researchers noted. “It would appear that Twitter decided that this inconveniences their users less than the introduction of cumbersome password policies.”

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

How to choose a password according to Microsoft

How many electronic accounts do you have? If you’re like me you have usernames and passwords for everything from bank accounts to email accounts to accounts that are used to access personal hobby sites such as woodworking or auto mechanics.

And in any organization, employees may also have multiple accounts with different passwords which allow them to access departmental email as well as select user groups within their areas of expertise.

All of these have accounts require passwords but like our keys or our socks we sometimes lose or forget them. Losing or forgetting your password to specific email accounts can cause minor irritation for some but can also be a source of panic when needed emails cannot be accessed immediately. Fortunately, there are many password recovery applications on the market for administrators and IT departments to choose from.

Here are five tools on the market for Email Password Recovery.

1. Outlook Password Recovery Master is an application which can display the logins and the passwords for all email accounts that have been created in Microsoft Outlook. It can also be used for recovering passwords for Microsoft Outlook personal folder files (outlook pst passwords).
   • Microsoft Outlook 2003 and earlier version support.
   • Instant password recovery.
   • Storing of recovered passwords in formatted text file.
   • Copying and pasting recovered passwords using the clipboard.
   • Easy and intuitive graphical user interface.

It can be downloaded from the following site: http://www.rixler.com/outlook_password_recovery.htm

This application is very easy to run and has a graphical interface that is very intuitive. Just start up the application and it will recover passwords instantly. It also has the capability to discover server addresses and the type, login and password of all email accounts on the server. As mentioned previously, any password protected personal folder files that are registered with the Microsoft Outlook can also be discovered along with their respective file names and passwords associated with the pst files. And if the passwords contain non-English characters those passwords can still be recovered. Password recovery of non-English passwords is a feature not found in many password recovery applications.

Additional features and benefits include:

2. Atomic Mailbox Password Recovery has a user-friendly interface and a very nice help feature that provides extra tips about restoring lost passwords. The password recovery process takes very little time and can be completed in as little as five minutes after installation of the software.

Atomic Mailbox Password Recovery can be downloaded from the following site:
http://www.massmailsoftware.com/password/email-pwd.htm

3. Mail Password Recovery 1.1 is an application that enables the recovery of passwords that have been stored in your email program for any Post Office Protocol (POP3) account. To enable the recovery of passwords an administrator has to change the email program settings – just temporarily – such that the email program is allowed to connect to Mail Password Recovery. Once a connection is made then the end user’s password can be recovered.

The methodology used to recover the passwords is that Mail Password Recovery will emulate a local POP email server which allows it to capture and reveal the stored password upon connection. The only requirement is that the target email program must have the accounts and passwords stored so that Mail Password Recovery can recover the password.

Mail Password Recovery is authored by “Aleksandar Boros” and can be found on many freeware sites by performing an Internet search.

Mail Password Recovery is compatible with the following operating systems:  Win9x, NT4, ME, Windows 2000 and Windows XP.

4. Mail PassView is a small password recovery tool that can recover the passwords and other account details of many applications including:  Microsoft Outlook 2000 (POP3 and SMTP accounts only), Microsoft Outlook 2002, 2003, 2007 (POP3, IMAP, HTTP and SMTP accounts), Windows Mail, Windows Live Mail, Yahoo! and Hotmail accounts.

Mail Passview can be downloaded from the following site: http://www.nirsoft.net/utils/mailpv.html

When Mail PassView is run it can display the following information: account name, application, email, server, type (POP3, IMAP, SMTP), username and password.

5. SniffPass is an application that captures passwords of email programs that are not supported by Mail PassView. It is a small password monitoring software application that will listen on the network and capture and display passwords as they pass through your network adapter. The following protocols are supported by SniffPass: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords). This application can also be used to recover lost Web or FTP passwords.

SniffPass can be downloaded from the following site: http://www.nirsoft.net/utils/password_sniffer.html

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

5 Tools for Email Password Recovery

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

In addition to making passwords at least eight characters long, NASA, as well as many security experts, recommend a watchword be a combination of upper and lower case letters, numbers and special characters, such as !@#$%^&*()+. If there is only one special character, it should not be either the first or last character in the password.

Needless to say, the passwords plucked by the hacker were woefully inadequate in the character choice department. Only 36.94 percent of the watchwords used numbers and letters and a mere 3.81 percent had special characters in them. The largest portion of the passwords (41.69 percent) used only lowercase letters. Another 15.94 percent used only numbers, while 1.62 percent limited their choices to only uppercase letters.

Based on length and character composition, only 0.2 percent of the 32 million passwords in the sample met NASA standards and could be considered strong passwords, the researchers said.

But there’s a third standard. It says passwords should not be a name, slang or word in a dictionary, nor should they include any part of the creator’s name or email address. That’s not the case for the 5000 most popular passwords shared by 20 percent of the users in the database studied by the researchers.

If the 5000 top passwords were used by a hacker as the basis for a dictionary to mount a brute force attack, the researchers point out, it would only take one attempt to guess 0.9 percent of the users’ passwords per every 111 attempts. Using a DSL connection with an upload rate of 55KBPS and assuming each attempt is 0.5KB in size, a hacker could perform 100 attempts a second at a site. At that rate, about one account would be compromised every second. In 17 minutes, 1000 accounts could be compromised.

But it gets worse, according to the researchers. “After the first wave of attacks,” they observed, “it would only take 116 attempts per account to compromise five percent of the accounts, 683 attempts to compromise 10 percent of accounts and about 5000 attempts to compromise 20 percent
of accounts.”

What’s a system administrator to do to avoid this kind of nightmare descending on their organization? The researchers made these recommendations.

• Enforce a strong password policy. If you give the users a choice, it is very likely that they would choose weak passwords.
• Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
• Make sure passwords are not kept in clear text. Always digest passwords before storing to a database.
• Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slow for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker such as CAPTCHAs, computational challenges, etc.
• Employ a password change policy. Trigger the policy either by time or when a system compromise is suspected.
• Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Survey identifies worst password practices

The end of the year is upon us, and for most of us this means time off from work to celebrate Christmas with our families and take a much needed break.  But before we shut down our computer and head out the door there are a few extra things that email admins need to think about.

Patches and Security Updates

Before taking an extended break is a good time to double check that your email servers are up to date with the latest security updates.

This includes updates for the server operating system, the email server application, and any other components on the servers such as backup agents, faxing software, and antivirus agents.

Even if your patching is automated it might pay to manually apply the latest updates now so that any problems that arise can be dealt with while you are still at the office.  You don’t want to get a phone call while you’re relaxing because the server was knocked offline by an automated update.

Backups

A lot of businesses use the end of the year to take a full backup of systems to store as a long term archive.  This is best performed while you are still available to assist with any issues and make sure that the backup is 100% successful and can be relied upon later for recovery if necessary.

At the same time some businesses halt their backups over the holidays if no staff will be present to change backup tapes.  For Exchange servers it is important to ensure that enough transaction log space is available for the server to run without backups for a week or more.

Support Calls

Nothing is worse than getting phone calls on your holiday for simple questions or problems.  If the business is still operating over the Christmas period and you might get phone calls from the Help Desk or on call staff then you can save yourself from being bothered by putting the right documentation and systems in place.

Make sure your fellow IT staff know how to troubleshoot email problems and have the minimum level of access they will need to deal with routine support issues.

You can also avoid simple support requests such as spam quarantine releases by putting in systems that support end user self-service for those functions.

Passwords

Most networks have a password policy that forces a new password to be chosen every 30 or so days.  Depending on the remote access infrastructure in place it is not always possible to update an expired password via remote access.

I’ve been caught out by this before and had to drive into work on holidays to fix an issue that would have taken me 5 minutes over remote access, all because my password had expired.

Take a moment before you go away on holidays to update the passwords on any accounts that you need so that they won’t expire again for another 30 days.

Lock the Door Behind You

Ever created an account with a weak password just for a “quick test” and then forgotten to delete the account afterwards?  Spend some time checking your email servers and accounts for any test accounts or other administration oversights that might lead to a security breach while you are away.

Remember that hacking activity increases over holiday periods both because the hackers are bored and because they know a lot of networks are unmanned during these times.

Double check your firewalls and other access points to make sure they are still locked down the way you intended.

This can all mean the difference between returning from holidays to a healthy network or starting off the new year with a disaster on your hands.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Christmas Checklist for Email Admins

Password problems can be perplexing – sorry I couldn’t resist the tongue twister

Seriously, administrators will have the challenge of correcting password issues under time constraints as business activities and users are all working toward completing projects on time. So having a tool chest of techniques for solving and correcting password issues is a requisite of any good administrator.

One problem that you will encounter from time to time is when passwords are not being kept by Outlook even though they have been specified to be retained. This may happen even if the “Save Password” box has been checked.

Several solutions have been offered on the internet.

Deleting User Account Information

One solution involves deleting the user account information and resetting the password. This method involves making changes to the Registry. As always, anytime you touch the registry you should always back it up first.

There are other times when Outlook doesn’t remember the passwords after the operating system has been reinstalled. The system is configured correctly in that the correct passwords are in the account properties but when the end user attempts to send or receive an email they get the username and password dialog box popup.

Disabling Prompts

Another solution you can try is to disable the prompt that asks to save passwords. You can do so by bringing up the Control Panel by going to the lower left corner of the screen and clicking on the Start button and then click on Control Panel. Once you have the control panel up you should then double click on Internet Options and select the Content tab. Next, click on the AutoComplete button in the Personal Information section. Check the box for “User names and passwords on forms” and uncheck the box for “Prompt me to save passwords”. You should now close Outlook and then restart it and try your password again.

Sometimes you will have a user who is able to receive email without being asked to enter a password but they are unable to send email without getting the password prompt request. The administrator should check the account properties server tab on the outgoing mail server and then, for that end user, uncheck the “My server requires authentication” setting and click OK or hit enter. This should stop the password requests from occurring when sending email.

Creating a New Email Account

Another problem situation can occur if you have any users who are using Microsoft Office Outlook 2007 then you might run into a problem when you go to create a new email account. For instance, when creating a POP3 email account you have the option to specify “Require logon using Secure Password Authentication”. If you do not type in a password and the “Remember password” check box is left unchecked in the Add New Email Account dialog box, then when you go to test your account settings you will be prompted to enter in your credentials. This prompting for credentials will happen every time the user starts Outlook.

What is happening is that Outlook 2007 is not using the logon credentials configured in the Windows operating system.

Microsoft has provided a hotfix package as of April 30, 2009. You can correct the problem by applying the hotfix and set an appropriate value for the AlwaysUseCachedCredsForSPA registry entry. As always, anytime you touch the registry you should always back it up first.

To start the Registry editor go to the bottom left corner of your screen and click Start. Next, click Run and type “regedit” in the Open text field. Click OK or just hit enter. Find the following registry subkey and then click on it:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\InternetMail.

Then, from the Edit menu, move the cursor to New and then click on DWORD Value. You can then type in “AlwaysUseCachedCredsForSPA” and press or hit enter. This procedure will allow you to modify the value for “AlwaysUseCachedCredsForSPA”. Right click on it and then select Modify. Enter a value of “1” in the Value data box and hit enter or click OK. Lastly exit the Registry editor.

As an alternative you can implement a workaround which consists of entering in your credentials when in the “Add New Email Account” dialog box. You can do so by clicking on the “Test Account Settings” and entering in the credentials. Select the “Remember password” check box and type in the password.  This workaround will allow you to not be prompted for the credentials when you test the account settings.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Troubleshooting Outlook Password Problems