Lessons learned from the Premera cyber-attack – Always the same passwords lead to a disaster!

2 April 2015

Do you have a favorite password? Maybe something like ILovePeteSinceFeb2010? Not bad at all, easy to remember, and easy to crack.

When I build my first Windows NT 3.5 domain I had to enforce the password rules of my organization. The most annoying rule for the users was the Password History. We had to configure Windows to remember ten passwords.

We started without a Minimum Password Age (the period of time in days that a password must be used before the user can change it) and found that many users changed their password ten times within a short period to keep their favorite password.

When we introduced the minimum password age it came to a near-uprising. 20 years later, the users get accustomed to the minimum password age of one day.

It’s all the more surprising, that on some of the Premera systems a minimum password age was not enforced last year. In the Final Audit Report of the UNITED STATES OFFICE OF PERSONNEL MANAGEMENT, dated 28 November 2014, we read on page 5:

Password History Configuration

Premera has implemented a corporate password policy that is applicable to all infornation systems on the network. However, we performed automated configuration compliance scans that indicated that several systems did not limit the time between password changes.

This configuration would allow users to circumvent Premera’s password history requirement by changing their password multiple times within a short time period and then reuse their initial password.

That’s really bad. If an attacker has guessed a password, the missing minimum password age and the user’s convenience supports him to stay in the system.

As always we have to deal with people and process issues. The technology was still there, but not used to enforce the rules.

Never say die!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s