Why administrative passwords will never be like nuclear missile launchers

re: Why administrative passwords will never be like nuclear missile launchers

Pornsak — Tue, 21 Nov 2006 15:42:10 GMT

It's great to see you posting again. The Trustworthy Administrator article is an interesting read!

re: Why administrative passwords will never be like nuclear missile launchers

Wayne McGlinn — Wed, 22 Nov 2006 01:43:38 GMT

I've seen an implementation of this down here Steve. The Enterprise Admin and Schema Admin password is broken into 2; 1 admin enters the first half, a second admin enters the second half. This is in a DoD environment, they're anal about security and do *not* trust anyone.

re: Why administrative passwords will never be like nuclear missile launchers

Squidge — Wed, 22 Nov 2006 01:50:02 GMT

But you've got to admit, the idea of having the "two keys" option to some uberadmin account really does seem cool sometimes! The whole two keys ten meters apart thing really does endow the keyholder with a real sense of importance they may otherwise not get elsewhere :) People, in my experience, are led almost solely on how secure they perceive themselves/their companies to be, so often in ignorance of the "real" truth - buying this kind of mumbo jumbo increases their perceived level of security and makes them happy. This is only really ever challenged if companies are ever hacked AND that they actually discover this. But does it matter? Many small to mid sized companies make a good "script kiddie" targets but are of little interest to other commercial organisations. Should they care? When does security become philosophy? ;)

re: Why administrative passwords will never be like nuclear missile launchers

Steve Riley — Wed, 22 Nov 2006 02:52:52 GMT

WAYNE-- It still isn't the same thing. In the silo, even if one person obtains both keys, that person can't launch the missile because his arms won't span the distance between the switches. The silo always requires two "authenticators." A split password is still only a single authenticator from the point of view of the secured device; the device has no proof or even knowledge that the single authenticator is divided in half with each half given to individual humans. Because the device can't enforce the security model, sufficiently motivated humans can defeat it. There's also no way to audit which human entered which half.

SQUIDGE-- "When does security become philosophy?" As far as I see it, these are synonyms :)

re: Why administrative passwords will never be like nuclear missile launchers

Scotty — Thu, 23 Nov 2006 21:12:36 GMT

I have used and on occasions mandated the password split into two parts because (a) perception of security mattered in the project being delivered - ah the politics of project delivery (b) doing so provided at least a slowdown in attacking the account in questions as both safes / teams in management of the safes needed to be compromised or persuaded to act together.

Doing this can be of value in some situations but only delivers incremental increase in security, if that, on the never ending path toward security and sometimes a little is a lot better than nothing at all.

re: Why administrative passwords will never be like nuclear missile launchers

Tim — Fri, 24 Nov 2006 23:29:25 GMT

I saw a movie once (the name has escaped me) that presented a scenario to overcome the two-key system. One missile control operator shot the other then used a long pole with a clamp on the end to turn the dead operators key while using his other hand to turn his own key. In the movie the operator assembled the pole and clamp from parts in a duffle bag he brought in with him that had personal items like his lunch. I wonder if after this movie NORAD stopped allowing operators to brown bag it?

re: Why administrative passwords will never be like nuclear missile launchers

Steve Riley — Sun, 26 Nov 2006 07:25:07 GMT

Are there really only the two operators in the control room? I thought there'd be a lot more folks hanging around, meaning that if Alice shot Bob, someone else almost certainly would immediately shoot Alice. Assuming that folks in the control room can be armed, of course.

re: Why administrative passwords will never be like nuclear missile launchers

oliverre — Tue, 28 Nov 2006 12:18:35 GMT

In my opinion the post assumes that a malicious person could find out the two passwords. In that case the physical security of a missile launches is certainly not given. But still, with two passwords spread on two admins, this certainly increases security against intentional or unintentional internal tampering with the system, because one need to find out the two passwords first (or in case of the malicious person being one of the admins, need to find out the second password).

re: Why administrative passwords will never be like nuclear missile launchers

mg — Fri, 08 Dec 2006 20:39:31 GMT

What about biometrics? I’ve worked in environment where three administrators each typed one third of a password - we really wanted an n of m scenario (3 of 7 administrators had to authenticate for example) but that’s not so easy to do just using a split password. Seems like a system with 2 (or more) fingerprint scanners would fill the need (or one reader that required 2 unique fingerprints within a few seconds of one another).

…and I partially agree with Squidge – the benefit of “high security” is largely perception – most “normal” measures can be mitigated pretty easily, but having highly visible security measures in place at least makes people think twice about the importance of what they doing… it’s not so much about “happiness” though, it’s about keeping people aware of the sensitivity of their work.

Complexity of authentication ("the Password problem")

The things that are better left unspoken — Tue, 19 Dec 2006 12:53:58 GMT

Many IT people I know require their users to come up with complex passwords and require them to change

re: Why administrative passwords will never be like nuclear missile launchers

lsw — Fri, 22 Dec 2006 12:38:56 GMT

There is a term for the ' missile control-style passwords'. It is known as 'dual control' passwords.

Dual controlling passwords is not foolproof or itself, a system preventive control. When implementing this, the parties involved must change the password and a process must be in place to regularly change the passwords.

There should also be a strong change control and monitoring process, to track the usage and activities of powerful IDs to ensure that they are authorized.

While most folks will screamed 'what the hell', this is in fact a good practice and it can be used to protect good administrators when things go wrong. Then, they can safely say, it's not me cause I do not have the full password to do anything crazy.