3 Replies Latest reply on Jan 27, 2014 1:05 PM by SafeBoot

    7.1 PBA Password Recommendations For Infrequent Users?


      Some of our users have laptops with full disk encryption and only use these laptops once every few months when they have a need to work  remotely.  They use their desktops when in the office.  Even though they are not frequently used, they need to have these laptops available to them at home for unplanned after hours use.


      The PBA is currenlty set to sync with their AD account password.  We have ongoing problems with users turning on their laptops while out of the office after a non-use period of many weeks.  Since the laptop has been powered off for weeks or months, the PBA password is still synced with an AD password that may have been used two or three password changes ago and they cannot remember what that old password was and therefore cannot get past PBA to log into Windows and connect to VPN so that the PBA password can sync with their current AD password.


      They can try self recovery or calling in to the help desk get a remote password reset, but this is a big hassle.  We are considering changing the PBA password policy to something that will work better for these types of users.  Instead of syncing with the Windows password, we are considering changing the policy to be a static password that can be easier for the users to remember (such as a short numeric code), but with only a few tries allowed before it locks out. 

      As long as the users are not allowed to use easily guessable numbers such as 1234, 4321 or 0000, I assume there should be no way for the even a simple 4 digit code password (such as 7493 or 2876 to be cracked by brute forcing if the account is locked after only a few tries and therefore, there is no real need for the PBA password to be very complex.  Correct? 


      The laptops do not have fingerprint readers.  They have built-in smartcard readers, but we don't have any plans to implement smart cards because it is very likely some of the users would either carelessly leave the cards in the laptops or store them in the bag with the laptop, which would defeat the purpose of having smart cards if the laptops are lost or stolen.


      Any suggestions for these types of users?


      on 1/26/14 4:00:40 PM CST


      on 1/26/14 4:02:11 PM CST
        • 1. Re: 7.1 PBA Password Recommendations For Infrequent Users?

          Remember, this is a software solution, so if you pick a weak password it can be easily guessed and replayed - the simplest scenario would for me to steal the machine, image the hard drive, try a few guesses and when it locks, just put the image back and try again... There are only 10,000 4-digit passwords so that will probably take me a day or two tops.


          the lock after n attempts only protects against the forgetful user, it does not protect you from someone with intent, and such a short password probably won't protect you from data disclosure laws as its not in line with industry reccomendations (like NIST 800-111).

          • 2. Re: 7.1 PBA Password Recommendations For Infrequent Users?

            I tried setting it up and it appears there is no way to allow a 4 character numeric password that does not allow sequential or repeating numbers. I tried 1234 as a password and it worked.  Obviously any password that near the top of most common password lists would be easily guessed.  If I turned on the option to not allow simple passwords, then it uses Windows password rules that makes the passwords more complex and so many users cannot remember them especially if it was a previous password that they have stopped using everywhere else.


            While 1234 would probably be guessed within a few tries and maybe on the first try,  a non repeating, non sequential number would not.  So suppose we increase from 4 digits to 6 or 8  numbers (but numbers like 123456 or 000000 are not allowed.  If the attacker could only try three times before locking, it would take ages to guess something like 698367 even with an image of the hard drive if they knew the password rules and were not wasting time also trying passwords that do not meet the password rules.  They would really have to have a lot of time on their hands.


            Too bad PBA is not compatible with RSA fob tokens.  Then users could use their existing short PIN and random token numbers generated by the device that they already have to use to connect to VPN and not have another password to remember.


            We have already tried SSO and password synchronization with their Windows login, but we have found this to not work for infrequent laptop users who only use the laptops remotely because, as I said in the first message, the users get ocked out of PBA because their Windows password changed on their desktop PCs for several weeks and they either don't get the concept of where the PBA password comes from or just can't remember their previous Windows passwords after a few weeks of using the new password.

            • 3. Re: 7.1 PBA Password Recommendations For Infrequent Users?

              Well, for a start those RSA fobs are absolutely worthless for pre-boot auth - they rely on you having a conversation with a remote server - if you were sitting in front of the server which "checks" your answer, you could break it easily - the RSA answers are just a "yes/no" response - unless the server responding yes/no is remote and inaccessible, it does not work at all.


              and, the time you think it would take to replay the image, well, you only really need to revert the changes each time - not the whole disk. Think about a snapshot in VMWare for example.


              so, make an image, try all the attempts, make another image and compare them - now all you have to do is put back the sector or two of data after you lock the password.


              There are more and more optimizations you could make to further speed things up. It's not hard.


              Not sure how I can help you here - if your users can't remember passwords, then the only thing left is to have them call up for credentials when they need them?